Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TPM 1.2 support #462

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

Add TPM 1.2 support #462

wants to merge 18 commits into from

Conversation

oldium
Copy link
Contributor

@oldium oldium commented May 5, 2024
edited
Loading

This patch series adds TPM 1.2 support and fixes few other things (I can split this into multiple Pull Requests if you wish):

  • Added missing shutdown SystemD dependencies when using DefaultDependencies=no.
  • When Dracut without SystemD is used, benefit cryptsetup unlocking workflow to let it handle the crypttab and other options. This uses pipe to unlock with password similarly like the initramfs-tools image does. See commit message for more details.
  • Added full support for TPM 1.2.

Status:

  • [✅ Done] Clevis encrypt, decrypt, bind support
  • [✅ Done] initramfs-tools support
  • [✅ Done] Systemd support
  • [✅ Done] Manual page for clevis-encrypt-tpm1
  • [✅ Done] Tests for tpm1 pin
  • [✅ Done] Dracut support

Example usage:

  • Boot and unlock with TPM1.2:
    clevis luks bind -d /dev/<device> tpm1 '{"pcr_ids":"0,4,7"}'
  • Encrypt and decrypt:
    echo test | clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' | clevis decrypt

Tested:

  • Tested with initramfs-tools, used both TPM 1.2 and null pins with "fail":true to test success and failed unlocking
  • Tested with Dracut with SystemD. Tested both success and failed cases
  • Tested with Dracut without SystemD (module was disabled). Tested both success and failed cases
  • Tested with Dracut without SystemD (module was disabled), with programmatically changed detection that null pin is a network pin. Tested that with rd.neednet the unlocking happens after network gets online.

Fixes: #84, #456

@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from 556332d to 04d5e9f Compare May 5, 2024 22:09
@oldium oldium force-pushed the feature/tpm1 branch 4 times, most recently from 2c32eb7 to a7de265 Compare May 8, 2024 14:26
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 18, 2024
View reviewed changes
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/clevis-luks-tpm1-functions Fixed Show fixed Hide fixed
src/luks/dracut/clevis-pin-tpm1/module-setup.sh.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis-pin-tpm1/module-setup.sh.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed Show fixed Hide fixed
@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from b4cc648 to e83e669 Compare June 23, 2024 12:20
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 23, 2024
View reviewed changes
src/initramfs-tools/scripts/local-top/clevis.in Fixed Show fixed Hide fixed
src/initramfs-tools/scripts/local-top/clevis.in Fixed Show fixed Hide fixed
src/initramfs-tools/scripts/local-top/clevis.in Fixed Show fixed Hide fixed
src/luks/clevis-luks-common-functions.in Fixed Show fixed Hide fixed
src/luks/clevis-luks-common-functions.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-password-unlocker.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-password-unlocker.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-password-unlocker.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-password-unlocker.in Fixed Show fixed Hide fixed
src/luks/dracut/clevis/clevis-password-unlocker.in Fixed Show fixed Hide fixed
@oldium oldium force-pushed the feature/tpm1 branch 3 times, most recently from dc1c5c3 to 40bfdf4 Compare June 23, 2024 13:46
@oldium oldium marked this pull request as ready for review June 23, 2024 14:08
@oldium oldium changed the title [WIP] Add TPM 1.2 support Add TPM 1.2 support Jun 23, 2024
@oldium oldium mentioned this pull request Jun 23, 2024
Open
@oldium
Copy link
Contributor Author

oldium commented Jun 30, 2024

Work is done, pre-built packages for Debian 12 and amd64 arch are available here https://github.com/oldium/clevis/releases/tag/v20_tpm1

@oldium oldium mentioned this pull request Jun 30, 2024
Open
@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from 000c78a to b79a306 Compare July 2, 2024 20:39
@oldium oldium mentioned this pull request Jul 2, 2024
Closed
@oldium
Copy link
Contributor Author

oldium commented Jul 3, 2024
edited
Loading

The CentOS test build image needs some love, the mirrorlist.centos.org site does not exist any more it seems.
image

@oldium
Copy link
Contributor Author

oldium commented Jul 3, 2024

Rebased to latest master to fix the build.

@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from 3df6d8c to bd503a2 Compare December 9, 2024 13:15
oldium added 2 commits December 9, 2024 14:16
@oldium
luks: fix tests not testing the values
69638bd 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
systemd: ensure the shutdown dependency is present
4b9fdee 
The DefaultDependencies=yes option adds conflicting dependency on the
shutdown.target automatically to ensure the service is terminated during
the shutdown, so add it when we use DefaultDependencies=no.

Signed-off-by: Oldřich Jedlička <[email protected]>
oldium added 6 commits December 9, 2024 14:27
@oldium
luks: allow reading used set of pins by clevis scripts
d11dbd9 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
dracut: supply cryptsetup password through pipe (non-systemd boot)
6ba50ee 
Current Dracut integration for bootup without Systemd ignores all
cryptsetup options, which are usually handled by Dracut itself (like
reading /etc/crypttab). We need to hook into the Dracut cryptsetup process
in order to allow Dracut handling the options and us handling the password
only.

Dracut uses generated udev rules to create cryptsetup unlocking scripts
in initqueue/settled dynamically when the corresponding device appears. The
unlocking tries to unlock by the key file first and then by password read
from user.

We can hook into the key file reading stage by providing our own pipe and
send the password via the pipe similarly to how the initramfs-tools
clevisloop is doing it. There is one difference, though, we have only one
try to unlock, but that should be enough.

For the network pins (tang and sss/tang at the moment) we can move the
generated Dracut cryptsetup unlocking scripts to initqueue/online to
ensure the unlocking happens at the right time.

Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
luks: support printing the null pin configuration
1dfdc40 
This is useful during testing.

Signed-off-by: Oldřich Jedlička <oldium.pro.gmail.com>
@oldium
tests: introduce common test functions shared between tests
69fe922 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
tpm1: added encrypt and decrypt support for TPM 1.2 as tpm1 pin
d5db30d 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
tpm1: added TPM 1.2 (tpm1 pin) tests
96bc5e0 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
Copy link
Contributor Author

oldium commented Dec 9, 2024
edited
Loading

I did some final clean-up (reworked used-pins patch to allow running clevis luks list -d <device> -p and made it a first-class citizen by reading the actual config like clevis_luks_read_pins_from_slot does, but simpler) and tested it on usual VMs. I also did some more detailed separate-/var testing on Debian Trixie (initramfs-tools) and Fedora Rawhide (dracut) with LUKS on LVM and LVM on LUKS.

TBD: The last step, which is a result of my detailed testing, is to write a documentation on unlocking separate-/var with Clevis and TPM1 pin. I will release update-6 afterwards.

Funny note - I have found that some tests fail to check the expected value - fixed here 69638bd

@oldium
tpm1: added TPM 1.2 (tpm1 pin) documentation
90ce76d 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
systemd: ensure TCSD is started before Clevis
2a261c3 
This is a weak requirement, so when TCSD is missing, it does not influence
the Clevis askpass service startup. Similarly if the TCSD startup fails,
it does not affect the Clevis askpass service startup.

Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
initramfs: added TPM 1.2 support for initramfs-tools
52dea61 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
dracut: added TPM 1.2 support for Dracut
a825c4d 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
tpm1: allow testing tpm1 pin in CI build
6fe525e 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
tpm1: allow testing tpm1 pin in CI build (CentOS)
7b1689f 
TPM 1.2 SW tests on CentOS 9+ are not supported by RedHat (see [1]), but
packages are installed and tests detect this.

CentOS 10 EPEL does not contain tpm-tools, so is currently unsupported.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1990153

Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
tpm2: added TPM 2 software TPM tests
b6c7ccb 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
initramfs: fix running on root-only readable initrd filesystem
2b60179 
Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
luks: check if keyutils are usable before running tests
5572ab5 
The command fails in Docker or otherwise limited environments, so skip the
test when it is not usable.

Signed-off-by: Oldřich Jedlička <[email protected]>
@oldium
Copy link
Contributor Author

oldium commented Dec 11, 2024
edited
Loading

I have released the update 6. Enjoy 😁

New and Noteworthy:

  • Fixed early startup to allow unlocking also swap devices.
  • Allows unlocking with separate /var volume, see README.md or man clevis-encrypt-tpm1.
  • Fixed running under Debian Trixie.
  • Fedora-based distributions RPM has been synced with latest Rawhide RPM, so there are new packages clevis-pin-tpm1 and clevis-pin-pkcs11. Check installation instructions.
  • The RPM now contains a unique Vendor name (oldium), so the sticky-vendor flag can be used to prevent unwanted Clevis updates.

@oldium
Copy link
Contributor Author

oldium commented Dec 11, 2024

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

@RadxaYuntian
Copy link

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

You can trigger a CI rerun in Checks tab of this PR.

@oldium
Copy link
Contributor Author

oldium commented Dec 11, 2024

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

You can trigger a CI rerun in Checks tab of this PR.

There is no such option visible for me.

@sergio-correia
Copy link
Collaborator

The failed test usually takes few seconds, so the timeout might be caused by some other CI pipeline running on the same host...

You can trigger a CI rerun in Checks tab of this PR.

There is no such option visible for me.

I triggered a re-run of the failed test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mauro2306 mauro2306 mauro2306 left review comments

@akostadinov akostadinov akostadinov left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for TPM 1.x
7 participants
@oldium @natterangell @sarroutbi @mauro2306 @RadxaYuntian @akostadinov @sergio-correia