Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
oldium
force-pushed
the
feature/tpm1
branch
2 times, most recently
from
556332d to
04d5e9f
Compare
oldium
force-pushed
the
feature/tpm1
branch
4 times, most recently
from
2c32eb7 to
a7de265
Compare
oldium
force-pushed
the
feature/tpm1
branch
2 times, most recently
from
b4cc648 to
e83e669
Compare
oldium
force-pushed
the
feature/tpm1
branch
3 times, most recently
from
dc1c5c3 to
40bfdf4
Compare
|
Work is done, pre-built packages for Debian 12 and amd64 arch are available here https://github.com/oldium/clevis/releases/tag/v20_tpm1 |
oldium
force-pushed
the
feature/tpm1
branch
2 times, most recently
from
000c78a to
b79a306
Compare
|
The CentOS test build image needs some love, the |
|
Rebased to latest master to fix the build. |
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The command fails in Docker or otherwise limited environments, so skip the test when it is not usable. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
…oot) [code-review] Unnecessary keyword. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
…oot) [code-review] Check return value. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
[code-review] Check return value. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
[code-review] Update wording. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
[code-review] Unify the function signatures. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Add forgotten copyright header. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Fix PCR bank and sealing fail logic. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Add missing local variable declaration. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Fix PCR bank and sealing fail logic in test. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Fix usage of uninitialized ${orig} value. Also test exactly the string
without having newlines added by echo.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Fix usage of uninitialized ${orig} value. Also test exactly the string
without having newlines added by echo.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
|
Would this play nicely together with #467? Anything missing? Great for proxmox ZFS root on older TPM 1.2 only hardware. |
Hard to say without looking more into the ZFS support. I see some code duplication in the ZFS initramfs hook, it installs basically the same binaries as the regular clevis hook. It misses TPM1.2 completely (for obvious reasons). From the brief look I was not able to tell how exactly the ZFS unlocking works, but if it uses the same clevis functionality to decrypt the password, it should (in theory) work. Side note: I have rebased my patches and changed them according to code-review input plus few fixes more (also for easier packaging of the new |
|
Possibly there will be some startup changes necessary to line-up with the ZFS support, because the clevis initramfs Anyway, nothing impossible to do. |
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
|
Added several On top of the code-review fixes, I added the following:
On top of that, I created a new |
There was a problem hiding this comment.
LGTM. Thanks for your PR. @sergio-correia : A double opinion is welcome here
|
Just a kind reminder: Please do not merge without auto-squashing first ( |
|
Who needs to approve this PR for merge? |
Changes LGTM. Waiting for @sergio-correia to check if anything else is required (it seems all suggested nits were resolved) |
|
[Updated] @sarroutbi I am testing the rebase and almost everything works. Unfortunately, the newest Ubuntu 26.04 is using Dracut 110, which renumbered the systemd-cryptsetup module from 11 to 71, so we cannot add “needs” for Hm, or maybe I am wrong. Dracut has 00systemd, which installs cryptsetup.target. Let me check more... [Edit] |
sergio-correia
left a comment
sergio-correia
left a comment
There was a problem hiding this comment.
@oldium: Thanks, I finally had a chance to review this again. Looks very nice, but I pointed a few small issues to fix. Please, also rebase on top of the current master. Also, are you going to autosquash those fixup commits?
|
|
||
| copy_exec "${tcsd_bin}" || die 1 "Unable to copy ${tcsd_bin}" | ||
| copy_exec "${libgcc_s}" || die 1 "Unable to copy ${libgcc_s}" | ||
| copy_file config /etc/tcsd.conf || dia 2 "Unable to copy /etc/tcsd.conf" |
There was a problem hiding this comment.
Typo here: should be die instead of dia
| echo "root:x:0:0:root:/root:/bin/bash" >> "${DESTDIR}/etc/passwd" | ||
| echo "root:x:0:" >> "${DESTDIR}/etc/group" | ||
|
|
||
| group_id=`id -G tss` || die 2 "Unable to get tss group ID" |
There was a problem hiding this comment.
Isn't this supposed to be id -g (lowercase), to return all groups instead of primary GID?
There was a problem hiding this comment.
The id -G is actually returning all groups, so this might form an invalid entry (not usually the case, tss is a system user created during package installation with single group tss). This usage is specifically about the group ID of the tss group, so getting it through the primary group of tss user is the way to go - id -g tss should be used.
| [ -f "/sys/class/tpm/tpm0/pcr-${_pcr_bank}/${_pcr}" ] || return 1 | ||
| done | ||
| else | ||
| local pcr_args="${pcr_ids:+-p}${pcr_ids//,/ -p}" |
There was a problem hiding this comment.
I believe we should use $_pcrs (which we define in this validate_pcrs() function) here; we are using the "outer" $pcr_ids instead, whihc seems to work by coincidence.
| if ! ps -A -o pid | awk -v pid="${pid}" '$1==pid {found=1} END {exit !found}'; then | ||
| error "Failed waiting, ${name:process} terminated" | ||
| elif [ "${elapsed}" -gt "${max_timeout_in_s}" ]; then | ||
| error "Timeout (${max_timeout_in_s}s) waiting for ${name:process}" |
There was a problem hiding this comment.
${name:process} should be ${name:-process} (missing the dash for the default value), in those two instances here.
| int | ||
| setgid(gid_t gid) | ||
| { | ||
| static int (*real_setgid)(uid_t) = NULL; |
There was a problem hiding this comment.
gid_t instead of uid_t here.
| } | ||
| return real_setgid(gid); | ||
| } | ||
| return 0; |
There was a problem hiding this comment.
This return is unreachable, please just remove it.
|
|
||
| local enc | ||
| if ! enc=$(echo -n "${orig}" | clevis encrypt tpm1 "${cfg}"); then | ||
| echo "${TEST}: encrypt failed for cfg: ${cfg}" >&1 |
There was a problem hiding this comment.
This should probably be >&2
There was a problem hiding this comment.
Actually, a copy-paste from tpm2 pin test 🙈 Fixing it there too.
|
Thanks @sergio-correia for the review, I now feel like a kid. I saw the code so many times and have not noticed that 😅. I will fix all your findings and auto-squash it. |
|
The issue with Dracut 110 is reported here #545 |
|
I commented this in #545 as well, but clevis 20-1ubuntu2 was uploaded with a patch that fixes the ordering issue. |
|
I will rebase onto #549 to create a non-conflicting branch. |
10 participants
This patch series adds TPM 1.2 support and fixes few other things (I can split this into multiple Pull Requests if you wish):
DefaultDependencies=no.Status:
clevis-encrypt-tpm1Example usage:
clevis luks bind -d /dev/<device> tpm1 '{"pcr_ids":"0,4,7"}'echo test | clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' | clevis decryptTested:
"fail":trueto test success and failed unlockingrd.neednetthe unlocking happens after network gets online.Fixes: #84, #456