Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TEST-70-TPM2 fails in environment with signed PCRs (mkosi) #32565

Closed
DaanDeMeyer opened this issue Apr 29, 2024 · 0 comments · Fixed by #32635
Closed

TEST-70-TPM2 fails in environment with signed PCRs (mkosi) #32565

DaanDeMeyer opened this issue Apr 29, 2024 · 0 comments · Fixed by #32635
Labels
bug 🐛 Programming errors, that need preferential fixing cryptsetup tests tpm2
Milestone
v256

Comments

@DaanDeMeyer
Copy link
Contributor

systemd version the issue has been seen with

main

Used distribution

Fedora 39

Linux kernel version used

No response

CPU architectures issue was seen on

None

Component

No response

Expected behaviour you didn't see

TEST-70-TPM2 succeeds when executed with mkosi.

Unexpected behaviour you saw

TEST-70-TPM2 fails when executed with mkosi

Steps to reproduce the problem

git remote add daandemeyer https://github.com/DaanDeMeyer/systemd.git
git fetch daandemeyer
git checkout mkosi
# Uncomment TEST-70-TPM2 in test/meson.build
meson compile -C build mkosi && SYSTEMD_INTEGRATION_TESTS=1 meson test  -C build --no-rebuild -v TEST-70-TPM

Additional program output to the terminal or log subsystem illustrating the issue

Apr 29 18:36:11 H testsuite-70.sh[2901]: + systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2-pcrlock=/var/lib/systemd/pcrlock.json --tpm2-public-key= --tpm2-public-key-pcrs= --wipe-slot=tpm2 /tmp/pcrlock.img
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Loaded 'libcryptsetup.so.12' via dlopen()
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Allocating context for crypt device /tmp/pcrlock.img.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Trying to open and read device /tmp/pcrlock.img with direct-io.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Initialising device-mapper backend library.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Trying to load LUKS2 crypt type from device /tmp/pcrlock.img.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Crypto backend (OpenSSL 3.2.2-dev  [default][legacy]) initialized in cryptsetup library version 2.6.1.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Detected kernel Linux 6.6.15-cloud-amd64 x86_64.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Loading LUKS2 header (repair disabled).
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Acquiring read lock for device /tmp/pcrlock.img.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Verifying lock handle for /tmp/pcrlock.img.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Device /tmp/pcrlock.img READ lock taken.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Trying to read primary LUKS2 header at offset 0x0.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Opening locked device /tmp/pcrlock.img
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Verifying locked device handle (regular file)
Apr 29 18:36:11 H systemd-cryptenroll[2933]: LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Checksum:09919c2cc76277de1063d5099ece510667e5a33152d9e2652acfb0fb551673ec (on-disk)
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Checksum:09919c2cc76277de1063d5099ece510667e5a33152d9e2652acfb0fb551673ec (in-memory)
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Trying to read secondary LUKS2 header at offset 0x4000.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Reusing open ro fd on device /tmp/pcrlock.img
Apr 29 18:36:11 H systemd-cryptenroll[2933]: LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Checksum:3278b2d590b5a0ef5ad2cf4efd91d872f30865a168c077cd4042526890adf250 (on-disk)
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Checksum:3278b2d590b5a0ef5ad2cf4efd91d872f30865a168c077cd4042526890adf250 (in-memory)
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Device size 20971520, offset 16777216.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Device /tmp/pcrlock.img READ lock released.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Only 2 active CPUs detected, PBKDF threads decreased from 4 to 2.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Not enough physical memory detected, PBKDF max memory decreased from 1048576kB to 1003642kB.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1003642, parallel_threads 2.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 0.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 1.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 2.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 3.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 4.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 5.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 6.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 7.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 8.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 9.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 10.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 11.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 12.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 13.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 14.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 15.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 16.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 17.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 18.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 8.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 9.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 10.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 11.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 12.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 13.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 14.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 15.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 16.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 17.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 18.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 19.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 20.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 21.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 22.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 23.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 24.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 25.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 26.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 27.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 28.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 29.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 30.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Requesting JSON for token 31.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Keyslot 0 priority 1 != 2 (required), skipped.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Trying to open LUKS2 keyslot 0.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Running keyslot key derivation.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Reading keyslot area [0x8000].
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Acquiring read lock for device /tmp/pcrlock.img.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Verifying lock handle for /tmp/pcrlock.img.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Device /tmp/pcrlock.img READ lock taken.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Reusing open ro fd on device /tmp/pcrlock.img
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Device /tmp/pcrlock.img READ lock released.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Verifying key from keyslot 0, digest 0.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Loaded 'libtss2-esys.so.0' via dlopen()
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Loaded 'libtss2-rc.so.0' via dlopen()
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Loaded 'libtss2-mu.so.0' via dlopen()
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Using TPM2 TCTI driver 'device' with device '/dev/tpmrm0'.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Loaded 'libtss2-tcti-device.so.0' via dlopen()
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Loaded TCTI module 'tcti-device' (TCTI module for communication with Linux kernel interface.) [Version 2]
Apr 29 18:36:11 H systemd-cryptenroll[2933]: TPM successfully started up.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Getting TPM2 capability 0x0000 property 0x0001 count 127.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Getting TPM2 capability 0x0002 property 0x011f count 256.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Getting TPM2 capability 0x0008 property 0x0000 count 508.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Getting TPM2 capability 0x0005 property 0x0000 count 1.
Apr 29 18:36:11 H systemd-cryptenroll[2933]: Policies with both signed PCR and pcrlock are currently not supported.
@DaanDeMeyer DaanDeMeyer added the bug 🐛 Programming errors, that need preferential fixing label Apr 29, 2024
@poettering poettering added this to the v256 milestone Apr 30, 2024
poettering added a commit to poettering/systemd that referenced this issue May 2, 2024
@poettering
cryptenroll: do not combine pcrlock and signed PCR policies in TPM mode
5d0a5ff 
We currently do not support pcrlock policies and signed PCR policies in
combination. Hence, when we auto-discover both, let's disable signed PCR
policies if pcrlock is available too (simple because that covers more
ground).

Fixes: systemd#32565
@poettering poettering mentioned this issue May 2, 2024
Merged
@bluca bluca closed this as completed in 27f4278 May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 Programming errors, that need preferential fixing cryptsetup tests tpm2
Milestone
v256
3 participants
@poettering @DaanDeMeyer @YHNdnzj