Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UKI: kcrypt unlock-all doesn't unlock TPM-bound partitions #2217

Closed
Tracked by #1792
mudler opened this issue Feb 6, 2024 · 4 comments
Closed
Tracked by #1792

UKI: kcrypt unlock-all doesn't unlock TPM-bound partitions #2217

mudler opened this issue Feb 6, 2024 · 4 comments
Assignees
@jimmykarily
Labels
uki

Comments

@mudler
Copy link
Member

mudler commented Feb 6, 2024
edited
Loading

Currently unlocking partitions encrypted with TPM manually by calling kcrypt unlock-all doesn't work.

Workaround exists, and documented in https://kairos.io/docs/installation/trustedboot/#mount-partitions-after-install
@mudler mudler converted this from a draft issue Feb 6, 2024
@mudler mudler added the uki label Feb 6, 2024
@mudler mudler mentioned this issue Feb 6, 2024
Closed
33 tasks
@jimmykarily
Copy link
Contributor

To reproduce:

  • In the Kairos config, try to run kcrypt unlock-all in an after-install stage (e.g. to write some files to the disk)
  • Install Kairos in UKI mode
  • See installation failing.

Possible solution:

Introduce a new stage/hook (e.g. "after-decrypt") to allow people to run code right after decrypting the disks. This stage will also make sure the disk is encrypted again when the stage is done.

Also, there is a --tpm flag in kcrypt unlock-all command that might workaround the issue.

@Itxaka
Copy link
Member

Itxaka commented Apr 1, 2024

kcrypt unlock-all could work if we add a --tpm flag so it knows it needs to go over the tpm unlock workflow instead of the usual one.

@jimmykarily jimmykarily moved this to In Progress 🏃 in 🧙Issue tracking board Apr 8, 2024
@jimmykarily jimmykarily moved this from In Progress 🏃 to Todo 🖊 in 🧙Issue tracking board Apr 8, 2024
@jimmykarily jimmykarily moved this from Todo 🖊 to In Progress 🏃 in 🧙Issue tracking board Apr 9, 2024
@jimmykarily jimmykarily self-assigned this Apr 9, 2024
@jimmykarily
Copy link
Contributor

jimmykarily commented Apr 9, 2024
edited
Loading

kcrypt has the --tpm flag since: kairos-io/kcrypt@94af8c8d

And it works:

[root@fedora kairos]# blkid
/dev/sr0: BLOCK_SIZE="2048" UUID="2024-03-22-06-21-55-00" LABEL="UKI_ISO_INSTALL" TYPE="iso9660"
/dev/loop0: UUID="382D-CD50" BLOCK_SIZE="512" TYPE="vfat"
/dev/vda2: UUID="8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e" TYPE="crypto_LUKS" PARTLABEL="oem" PARTUUID="88b189b8-ff89-49fc-92c0-a2ed101960df"
/dev/vda3: UUID="85c39d0f-4867-5227-8334-f5eec606d9eb" TYPE="crypto_LUKS" PARTLABEL="persistent" PARTUUID="d5ff410d-26bb-4af9-a2cc-b00b9cbaf5d0"
/dev/vda1: LABEL_FATBOOT="COS_GRUB" LABEL="COS_GRUB" UUID="1DE8-4BAA" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="efi" PARTUUID="2c953d75-6869-49eb-83b0-660ebbd42753"


[root@fedora kairos]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0    7:0    0   458M  1 loop /run/rootfsbase
sr0     11:0    1 458.4M  0 rom  /run/initramfs/live
vda    252:0    0    40G  0 disk 
├─vda1 252:1    0    15G  0 part 
├─vda2 252:2    0    64M  0 part 
└─vda3 252:3    0  24.9G  0 part 


[root@fedora kairos]# kcrypt unlock-all
Got luks UUID 8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e
 for partition vda2
Unmounted Luks found at '/dev/vda2' 
Checking uuid: 8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e
Unlocking failed: 'Unable to get a keyslot with id: 0'
Got luks UUID 85c39d0f-4867-5227-8334-f5eec606d9eb
 for partition vda3
Unmounted Luks found at '/dev/vda3' 
Checking uuid: 85c39d0f-4867-5227-8334-f5eec606d9eb
Unlocking failed: 'Unable to get a keyslot with id: 0'


[root@fedora kairos]# kcrypt unlock-all --tpm
Got luks UUID 8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e
 for partition vda2
Unmounted Luks found at '/dev/vda2' 
Got luks UUID 85c39d0f-4867-5227-8334-f5eec606d9eb
 for partition vda3
Unmounted Luks found at '/dev/vda3' 


[root@fedora kairos]# lsblk
NAME     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0      7:0    0   458M  1 loop  /run/rootfsbase
sr0       11:0    1 458.4M  0 rom   /run/initramfs/live
vda      252:0    0    40G  0 disk  
├─vda1   252:1    0    15G  0 part  
├─vda2   252:2    0    64M  0 part  
│ └─vda2 253:0    0    48M  0 crypt 
└─vda3   252:3    0  24.9G  0 part  
  └─vda3 253:1    0  24.9G  0 crypt 


[root@fedora kairos]# blkid
/dev/sr0: BLOCK_SIZE="2048" UUID="2024-03-22-06-21-55-00" LABEL="UKI_ISO_INSTALL" TYPE="iso9660"
/dev/loop0: UUID="382D-CD50" BLOCK_SIZE="512" TYPE="vfat"
/dev/vda2: UUID="8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e" TYPE="crypto_LUKS" PARTLABEL="oem" PARTUUID="88b189b8-ff89-49fc-92c0-a2ed101960df"
/dev/vda3: UUID="85c39d0f-4867-5227-8334-f5eec606d9eb" TYPE="crypto_LUKS" PARTLABEL="persistent" PARTUUID="d5ff410d-26bb-4af9-a2cc-b00b9cbaf5d0"
/dev/vda1: LABEL_FATBOOT="COS_GRUB" LABEL="COS_GRUB" UUID="1DE8-4BAA" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="efi" PARTUUID="2c953d75-6869-49eb-83b0-660ebbd42753"
/dev/mapper/vda3: LABEL="COS_PERSISTENT" UUID="8ce7c934-a70c-41c4-9d6e-e717fe4ce167" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/vda2: LABEL="COS_OEM" UUID="ae859253-ec7d-46db-b891-2321fcacbb7c" BLOCK_SIZE="1024" TYPE="ext4"

Nothing more to do I guess?

@jimmykarily
Copy link
Contributor

Introduced in version 0.9.0: kairos-io/kcrypt@v0.7.0...v0.9.0 (cut in December 18th: https://github.com/kairos-io/kcrypt/releases/tag/v0.9.0)

@jimmykarily jimmykarily moved this from In Progress 🏃 to Under review 🔍 in 🧙Issue tracking board Apr 9, 2024
@github-project-automation github-project-automation bot moved this from Under review 🔍 to Done ✅ in 🧙Issue tracking board Apr 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jimmykarily jimmykarily

Labels
uki
Projects
🧙Issue tracking board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Itxaka @mudler @jimmykarily