[systemd-devel] Fedora 38 and signed PCR binding

Aleksandar Kostadinov akostadi at redhat.com
Sat Feb 10 20:35:42 UTC 2024 

And one strange thing --tpm2-public-key-pcrs=11 doesn't seem to change
how TMP is enrolled:

$ sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
--tpm2-pcrs="" /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: ***
This PCR set is already enrolled, executing no operation.

$ sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-pcrs=""
--tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: ***
This PCR set is already enrolled, executing no operation.

On Sat, Feb 10, 2024 at 10:23 PM Aleksandar Kostadinov
<akostadi at redhat.com> wrote:
>
> Thanks a lot for the answers. Because without them I have no clue how
> to progress. I'd highly appreciate your further guidance!
>
> On Fri, Nov 17, 2023 at 7:13 PM Dan Streetman <ddstreet at ieee.org> wrote:
> > <...>
> > If you don't specify --tpm2-pcrs= at all, it will bind to PCR 7, even
> > if you bind to a signature as well (at least this is the current
> > behavior).
> >
> > If you want to bind only to a signature, you should use --tpm2-pcrs=""
> > (i.e. empty string) to prevent binding to PCR 7.
>
> Got it. I see now with the luksDump what you mean
>
> How about crypttab? I tried this to no avail:
>
> luks-<ID> UUID=<UUID> none
> discard,tpm2-device=auto,tpm2-measure-pcr=yes,tpm2-pcrs=
>
> > <...>
> > let's try manually unlocking it just to make sure the enrollment was
> > ok, so after enrolling it try:
> >
> > systemd-cryptsetup [attach] test /dev/sda3 - tpm2-device=auto,headless=true
>
> Couldn't find signature for this PCR bank, PCR index and public key.
> Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/sda3.
> Couldn't find signature for this PCR bank, PCR index and public key.
> No TPM2 metadata matching the current system state found in LUKS2
> header, falling back to traditional unlocking.
> Password querying disabled via 'headless' option.
>
> I used `cryptsetup luksDump` to see the metadata and `cryptsetup
> token` to eliminate stray token values. So now I only have two
> keyslots - one for simple password and one for the TPM. And a single
> token. I'll just paste it here, probably I later would need to
> regenerate the volume to avoid exposure.
>
> Keyslots:
>   0: luks2
>     Key:        512 bits
>     Priority:   normal
>     Cipher:     aes-xts-plain64
>     Cipher key: 512 bits
>     PBKDF:      argon2id
>     Time cost:  4
>     Memory:     375564
>     Threads:    2
>     Salt:       fe 66 09 e8 71 ce 58 42 1d 5b 35 18 1f 3d fa bc
>                 01 7e 04 22 36 91 f3 68 fe 79 d2 02 f5 f6 08 a4
>     AF stripes: 4000
>     AF hash:    sha256
>     Area offset:32768 [bytes]
>     Area length:258048 [bytes]
>     Digest ID:  0
>   2: luks2
>     Key:        512 bits
>     Priority:   normal
>     Cipher:     aes-xts-plain64
>     Cipher key: 512 bits
>     PBKDF:      pbkdf2
>     Hash:       sha512
>     Iterations: 1000
>     Salt:       80 b9 1b e9 1d 11 e4 5b c3 93 ca 29 c1 d4 6d 8b
>                 62 e1 40 78 d3 ca c2 be 6b c8 d9 1d cd 2d 9c bf
>     AF stripes: 4000
>     AF hash:    sha512
>     Area offset:548864 [bytes]
>     Area length:258048 [bytes]
>     Digest ID:  0
> Tokens:
>   2: systemd-tpm2
>     tpm2-hash-pcrs:
>     tpm2-pcr-bank:    sha256
>     tpm2-pubkey:
>                 2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 55 42 4c 49
>                 43 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 49
>                 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41
>                 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43
>                 67 4b 43 41 51 45 41 36 44 6f 5a 5a 79 34 4d 43
>                 47 69 50 51 34 65 68 38 4e 47 48 0a 59 6d 30 70
>                 59 66 77 62 43 6f 39 56 79 56 74 61 56 78 47 4c
>                 6c 55 44 2f 53 38 44 52 57 32 43 4f 2f 4e 37 58
>                 64 75 69 6f 68 7a 79 57 4c 4a 63 4a 46 73 35 79
>                 70 7a 36 4d 2b 4c 6e 55 4a 6d 41 4a 0a 6b 75 44
>                 78 43 39 67 47 72 4a 53 6e 58 48 34 55 30 6b 32
>                 34 66 54 42 39 50 6f 70 6f 71 31 57 62 63 6e 51
>                 30 6f 62 71 70 36 70 51 72 6d 4e 4b 6b 2f 63 49
>                 34 46 4c 6d 2f 44 79 71 7a 66 31 45 43 0a 75 6a
>                 68 37 62 54 72 4c 35 32 79 34 2f 2f 6f 67 65 33
>                 58 78 78 30 63 38 64 73 42 53 47 33 2b 33 71 2f
>                 79 46 6a 54 71 4d 6e 36 4a 34 62 38 6b 6a 36 52
>                 2b 35 75 64 53 55 78 52 57 43 6e 37 72 4b 0a 76
>                 33 47 2b 73 41 55 4a 59 72 6d 70 78 79 38 59 63
>                 35 75 38 43 71 52 72 4c 39 69 7a 44 45 6c 53 6b
>                 47 53 56 49 5a 4a 45 71 68 43 31 31 4b 37 44 4b
>                 77 2b 6d 44 6a 79 35 31 62 30 45 55 61 54 51 0a
>                 2f 51 51 45 66 31 44 41 7a 4d 48 71 71 56 6a 73
>                 70 74 6b 39 7a 53 36 4b 7a 36 2b 4a 52 47 78 47
>                 2b 44 41 77 4f 35 2b 52 61 61 66 70 41 4a 55 47
>                 7a 30 68 62 2f 4b 71 34 6c 69 34 63 53 5a 61 4a
>                 0a 51 77 49 44 41 51 41 42 0a 2d 2d 2d 2d 2d 45
>                 4e 44 20 50 55 42 4c 49 43 20 4b 45 59 2d 2d 2d
>                 2d 2d 0a
>     tpm2-pubkey-pcrs: 11
>     tpm2-primary-alg: ecc
>     tpm2-blob:        00 7e 00 20 58 3d 8a 4d 57 a6 2d 48 45 58 ba 25
>                 8d 22 5f 6b 62 c8 28 1e c0 b7 90 e3 62 98 30 27
>                 19 c4 4b 68 00 10 92 fd 29 49 88 6f 6e 0d 30 51
>                 be 63 c5 8e c3 2b d8 5b 9c 14 3b 11 33 d6 77 95
>                 0a 01 5c 10 c0 d0 1a ff 34 df ea cf 21 a6 49 c9
>                 c3 78 c9 1c a6 66 9c bd 25 62 5c 1a a2 14 19 58
>                 74 09 e0 b8 f9 b0 9d 06 ec 60 95 9b 81 21 5d 1a
>                 6a 40 57 a8 7d 08 5a c6 6e 62 c8 7e 18 5f d4 01
>                 00 4e 00 08 00 0b 00 00 00 12 00 20 3f 8d 42 3c
>                 f9 cc ad 73 49 2f cb 95 3a bb 98 23 9f 99 9a b2
>                 9e 7a d8 30 22 43 04 82 44 87 46 0e 00 10 00 20
>                 61 af 05 72 67 27 21 1b c3 29 e7 e8 50 d9 70 3e
>                 20 3f 68 1f cf 05 0a 79 31 aa a0 9f c7 69 96 0a
>     tpm2-policy-hash:
>                 3f 8d 42 3c f9 cc ad 73 49 2f cb 95 3a bb 98 23
>                 9f 99 9a b2 9e 7a d8 30 22 43 04 82 44 87 46 0e
>     tpm2-pin:         false
>     tpm2-salt:        false
>     tpm2-srk:         true
>     Keyslot:    2
>
> It seems correct to me and I see no warnings anymore when sunning
> cryptsetup. But how can I double check the configuration on the TPM
> side matches this?
>
> btw in my ukify command that you can see in earlier messages, I use
> --phases='enter-initrd' which could explain why it wont work in the
> test mode. But I also tried adding more phases to no avail
>
> * --phases='enter-initrd:leave-initrd
> enter-initrd:leave-initrd:sysinit
> enter-initrd:leave-initrd:sysinit:ready'
>
> > <...>
> > > Strange is that in `journalctl -b` I still see "Couldn't find
> > > signature for this PCR bank, PCR index and public key." So I wonder
> > > what could be broken and how to fix it. How to inspect the initrd
> > > inside the UKI?
> >
> > well you built the initrd before running ukify, so just take a look at
> > it before you build the uki
>
> Good point. I was thinking more about inspecting the measurements
> signarute file(s) in the uki if this makes sense. I still don't
> understand how this signing is supposed to work.

More information about the systemd-devel mailing list