Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TPM 1.2 support #462

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

Add TPM 1.2 support #462

wants to merge 18 commits into from

Conversation

oldium
Copy link
Contributor

@oldium oldium commented May 5, 2024

This patch series adds TPM 1.2 support and fixes few other things (I can split this into multiple Pull Requests if you wish):

  • Added missing shutdown SystemD dependencies when using DefaultDependencies=no.
  • When Dracut without SystemD is used, benefit cryptsetup unlocking workflow to let it handle the crypttab and other options. This uses pipe to unlock with password similarly like the initramfs-tools image does. See commit message for more details.
  • Added full support for TPM 1.2.

Status:

  • [✅ Done] Clevis encrypt, decrypt, bind support
  • [✅ Done] initramfs-tools support
  • [✅ Done] Systemd support
  • [✅ Done] Manual page for clevis-encrypt-tpm1
  • [✅ Done] Tests for tpm1 pin
  • [✅ Done] Dracut support

Example usage:

  • Boot and unlock with TPM1.2:
    clevis luks bind -d /dev/<device> tpm1 '{"pcr_ids":"0,4,7"}'
  • Encrypt and decrypt:
    echo test | clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' | clevis decrypt

Tested:

  • Tested with initramfs-tools, used both TPM 1.2 and null pins with "fail":true to test success and failed unlocking
  • Tested with Dracut with SystemD. Tested both success and failed cases
  • Tested with Dracut without SystemD (module was disabled). Tested both success and failed cases
  • Tested with Dracut without SystemD (module was disabled), with programmatically changed detection that null pin is a network pin. Tested that with rd.neednet the unlocking happens after network gets online.

Fixes: #84, #456

@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from 556332d to 04d5e9f Compare May 5, 2024 22:09
@oldium oldium force-pushed the feature/tpm1 branch 4 times, most recently from 2c32eb7 to a7de265 Compare May 8, 2024 14:26
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from b4cc648 to e83e669 Compare June 23, 2024 12:20
src/luks/clevis-luks-common-functions.in Fixed Show fixed Hide fixed
src/luks/clevis-luks-common-functions.in Fixed Show fixed Hide fixed
@oldium oldium force-pushed the feature/tpm1 branch 3 times, most recently from dc1c5c3 to 40bfdf4 Compare June 23, 2024 13:46
@oldium oldium marked this pull request as ready for review June 23, 2024 14:08
@oldium oldium changed the title [WIP] Add TPM 1.2 support Add TPM 1.2 support Jun 23, 2024
@oldium
Copy link
Contributor Author

oldium commented Jun 30, 2024

Work is done, pre-built packages for Debian 12 and amd64 arch are available here https://github.com/oldium/clevis/releases/tag/v20_tpm1

@oldium
Copy link
Contributor Author

oldium commented Jul 3, 2024

The CentOS test build image needs some love, the mirrorlist.centos.org site does not exist any more it seems.
image

@oldium
Copy link
Contributor Author

oldium commented Jul 3, 2024

Rebased to latest master to fix the build.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The DefaultDependencies=yes option adds conflicting dependency on the
shutdown.target automatically to ensure the service is terminated during
the shutdown, so add it when we use DefaultDependencies=no.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Current Dracut integration for bootup without Systemd ignores all
cryptsetup options, which are usually handled by Dracut itself (like
reading /etc/crypttab). We need to hook into the Dracut cryptsetup process
in order to allow Dracut handling the options and us handling the password
only.

Dracut uses generated udev rules to create cryptsetup unlocking scripts
in initqueue/settled dynamically when the corresponding device appears. The
unlocking tries to unlock by the key file first and then by password read
from user.

We can hook into the key file reading stage by providing our own pipe and
send the password via the pipe similarly to how the initramfs-tools
clevisloop is doing it. There is one difference, though, we have only one
try to unlock, but that should be enough.

For the network pins (tang and sss/tang at the moment) we can move the
generated Dracut cryptsetup unlocking scripts to initqueue/online to
ensure the unlocking happens at the right time.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
This is useful during testing.

Signed-off-by: Oldřich Jedlička <oldium.pro.gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
@oldium
Copy link
Contributor Author

oldium commented Dec 9, 2024

I did some final clean-up (reworked used-pins patch to allow running clevis luks list -d <device> -p and made it a first-class citizen by reading the actual config like clevis_luks_read_pins_from_slot does, but simpler) and tested it on usual VMs. I also did some more detailed separate-/var testing on Debian Trixie (initramfs-tools) and Fedora Rawhide (dracut) with LUKS on LVM and LVM on LUKS.

TBD: The last step, which is a result of my detailed testing, is to write a documentation on unlocking separate-/var with Clevis and TPM1 pin. I will release update-6 afterwards.

Funny note - I have found that some tests fail to check the expected value - fixed here 69638bd

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
This is a weak requirement, so when TCSD is missing, it does not influence
the Clevis askpass service startup. Similarly if the TCSD startup fails,
it does not affect the Clevis askpass service startup.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
TPM 1.2 SW tests on CentOS 9+ are not supported by RedHat (see [1]), but
packages are installed and tests detect this.

CentOS 10 EPEL does not contain tpm-tools, so is currently unsupported.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1990153

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
@oldium
Copy link
Contributor Author

oldium commented Dec 11, 2024

I have released the update 6. Enjoy 😁

New and Noteworthy:

  • Fixed early startup to allow unlocking also swap devices.
  • Allows unlocking with separate /var volume, see README.md or man clevis-encrypt-tpm1.
  • Fixed running under Debian Trixie.
  • Fedora-based distributions RPM has been synced with latest Rawhide RPM, so there are new packages clevis-pin-tpm1 and clevis-pin-pkcs11. Check installation instructions.
  • The RPM now contains a unique Vendor name (oldium), so the sticky-vendor flag can be used to prevent unwanted Clevis updates.

@oldium
Copy link
Contributor Author

oldium commented Dec 11, 2024

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

@RadxaYuntian
Copy link

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

You can trigger a CI rerun in Checks tab of this PR.

@oldium
Copy link
Contributor Author

oldium commented Dec 11, 2024

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

You can trigger a CI rerun in Checks tab of this PR.

There is no such option visible for me.

@sergio-correia
Copy link
Collaborator

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

You can trigger a CI rerun in Checks tab of this PR.

There is no such option visible for me.

I triggered a re-run of the failed test.

oldium added 2 commits January 1, 2025 00:32
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The command fails in Docker or otherwise limited environments, so skip the
test when it is not usable.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
@oldium
Copy link
Contributor Author

oldium commented Jan 1, 2025

Just a small change for the case if initramfs-tools will ever gets fixed with UMASK=0077 - use umask command output instead of UMASK variable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for TPM 1.x
7 participants