-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian-12 still requires manual crypttab alterations and initrd regeneration to pick up TPM disk unlock key #1474
Comments
@natterangell please update this issue. Discussions under PR should be limited to changes in code, not discussing issues. @marmarek : Will Q4.2 move to BRTFS? (cross-post https://forum.qubes-os.org/t/btrfs-and-qubes-os/6967/28) |
Well exFAT support would certainly be appreciated. I suppose most people using Heads mostly use linux, but windows won't allow FAT32 partitions on larger usb drives (at least not without some fiddling), and so adding rom files, gpg keys etc requires preparing the drive on linux/macos |
Cross-linking to QubesOS/qubes-issues#6476 |
@natterangell can you detail Debian version and existence non-existent of crypttab and final content (hide like UUID) here? I'm glad PR worked for you but issue should not be there, bit here to track it. |
He answered
@natterangell weird. Location of the file created is under /etc/crypttab or somewhere else? As said in the pr/original issue (discussion should continue here to track issue down) qubes doesn't provide crypttab either, but when provided by heads under secret.cpio, it complies reading the one provided.
|
I apologize for commenting on the PR. Yes, the default on Debian is /etc/crypttab. The Debian manpage for crypttab states:
I don't know if update-initramfs checks this field and includes the file in initrd if something else than "none"? |
The manpage states further down that:
Seems there might be some differences despite both Debian and Fedora/Qubes being systemd-based |
Sorry if I was unclear. If a crypttab is found under initrd, heads parses it ad overwrites You should see those happening when setting a default option and enabling tpm disk unlock key. It says if it found one, says what he found and what is replaced by, and if not, what has been generated. There is even an override file under /boot to say what is the override for transparency, which is signed and used at time of generating the secret.cpio passed by the kexec call. The only thing I see here is the default generated initrd not containing /etc/crypttab and Heads doing the wrong thing as opposed to what their crypt-mount is expecting... Seems like we have a forever unfixed thing under Debian. I guess I'll have to reproduce and report upstream..... Damn. @natterangell can you point me to the direct iso you have used to install Debian please? Also, we are talking about master romnfor your board I guess right? This code has changed a couple of months ago and I remember Debian was specifically tested. Now I'm really confused. Logic to parse initrd and override crypttab when found: https://github.com/osresearch/heads/blob/d8a9a1e77e1731302e5b464b789c872a78e738c4/initrd/bin/kexec-save-default#L141 Logic to generate crypttab when none is found under initrd: https://github.com/osresearch/heads/blob/d8a9a1e77e1731302e5b464b789c872a78e738c4/initrd/bin/kexec-insert-key#L94 |
I used debian-12.1.0-amd64-netinst.iso. As of Debian 12, firmware is now included in the default image. Yes, before manually editing the default crypttab file, the following is displayed: That message goes away after manual edit. |
This means that Debian doesn't ship with crypptab on initrd at install, and then when you provide one on the host and regenerate initrd, it's now packed under /boot. I have reinstalled my qemu disk and will be able to reproduce eventually. This could be fixed upstream: it makes no sense that the crypttab is inside of the rootfs: it should be part of initrd under /boot to be parsed by anyone who wants to ans overriden on the OS rootfs if needed. It seems that a lot of OSes are doing it wrong. Will try to replicate but that would need upstreaming. It's not Head job to fix downstream, even less if Debian is used by other repackaged OS distributions. Ideal would be for you to check the init code and follow the rabbit there and open an issue and refer it here. Documenting temporary fixes I'm ok, maintaining them I'm not. Forgetting about it and searching again in the future, a total frustration. This is open source and if spotted on, they should want to fix it. Up to task @natterangell ? |
No. We may consider it for some later release, but not 4.2 |
I'll give it a shot. |
@natterangell Sorry for the delay. Trace of tests while testing #1482 on qemu-coreboot-whiptail-tpm2 with #1479 equivalent being enabled to enable debug output and tracing (enabled by default in board configs on qemu boards aimed at testing) on TPM Disk Unlock Key enabled default boot: And here I confirm that previous paramenters are not taken into consideration from Debian's initrd, since Disk Recovery Key passphrase is prompted: Will edit this post with investigation. But My hunch is that the system only needs to be updated and that once host's /etc/crypttab will be injected into initrd, Heads will do the right thing. Let's see...
On reboot. Of course, /boot changed: Let's go back to what was packed inside of initrd without any manual modification of the host's crypttab file and go through above screenshots to see what is happening. |
So to get back to basics:
No crypttab injected into initrd by debian whatsoever? I would have expected the crypttab to have been injected inside of the initrd here, i'm confused to how your fix has worked. What is the content of your /boot/initrd here @natterangell ? |
From Heads:
|
Don't use just |
@tlaurion I’ll check later tonight when I have access to the machine. while looking into this I came across a post on Stack Exchange indicating that
and indeed, that seems to be the case. Still doesn’t explain why Heads succeeds after the manual edit described in the wiki above. |
Thanks for the tip @marmarek , i'm afraid those are not provided by busybox once again....
What I hear is that there is more then what I see. I will try to find alternatives, thanks |
@natterangell I like to read that. That is actionable and redirects what where to work to have a generic solution here. @marmarek QubesOs happily complies with how Heads feeds crypptab content into secret.cpio after parsing only earlyinitrd. Even if we were to feed the same crypttab content to /cryptroot/crypttab (easy) it seems that the format of the file should be more generic and provide the name of the vg here. I will hack my current working branch to feed cryptroot/crypttab here and see what happens. Otherwise this will require not reading outside sources, but looking at what the actual code does and what format it happily parses. |
Qubes should also support |
lsinitrd is in |
For reference, with cpio:
|
Reading the almost 8 year old(!) blog post that is mentioned in the wiki, I think I now understand why those changes work:
So the workaround mentioned in the wiki basically makes Debian cryptroot hook script |
Wouldn't it be tricky to find the vg name, given that debian generates that based on whatever is chosen as hostname during install. But the UUID should be able to be extracted, no (?) |
Houla... A bunch of hacks to hack other hacks...
That part is clean and should work. Trying to simply propagate the same content in both cryptroot/crypptab and /etc/crypttab should be sufficient. Tried to get cpio from busybox do the right thing under Head's busybox without success so ideal here would be to simply have debian pickup to whatever it deems fine, where luks-uuid is the generic format and normally considered to be valid... I'm on it. |
@natterangell I would prefer the code to override what is inside of the initrd instead of creatinc generic options. @JonathonHall-Purism it seems we overlooked that in previous attempts of fixing TPM Disk Unlock Key (which is not used by neither Purism/Nitrokey today) and since it was working out of the box for QubesOS Heads users, that fell in the cracks. Small investigation on my side shows cpio is not behaving correctly neither in extracting nor listing files, stopping at early cpio and not processing further. I will try to fix this further, but as of now, I think this is way better than it was, with a lot of usability fixes that will land under #1482, including fix to close this issue! |
Tested working on both TPM1/TPM2 under debian bookwork, standard encrypted TLVM setup
Tested working on both TPM1/TPM2 under debian bookwork, standard encrypted TLVM setup
Tested working on both TPM1/TPM2 under debian bookwork, standard encrypted TLVM setup
@tlaurion I mentioned this over on #1482 as well, but I think what you want is Debian 12 provides an early microcode update in the initrd, which must be in an initial uncompressed segment. The real initrd follows in a zstd-compressed segment. Linux allows any arbitrary sequence of compressed/uncompressed segments concatenated together in the initrd. unpack_initramfs.sh unpacks such an initrd, with a few limitations due to gunzip/unzstd (once it hits a compressed segment, no further segments can be read, because gunzip/unzstd can't be convinced to stop reading at the end of their compressed data). In practice, this has worked for the initrds I have tested, I use it for the Librem Blob Jail. It should be able to pull out the crypttab. |
@natterangell I don't get it #1482 (comment) More specifically that thread referred images. When default boot TPM DUK is setuped: When default boot is launched: Debian fails even earlier. Spent too much time on that... Only insight is from last image: it seems that the path for crypttab is not cryptroot/crypttab but tmp something somehting. Will check one last time... |
@natterangell yep. That's it:
Checking... |
It all depends on the partition scheme. If using BRTFS (same as if using BRTFS under Qubes 4.1+ partition scheme) then two LUKS containers are expected to be unlocked from the TPM disk unlock key. So you should go back into Boot options -> show boot options -> save as default, and answer yes to reseal TPM disk unlock key. But this time, pass the two LUKS containers (eg /dev/sda2 /dev/sda3). Qubes default TLVM partition scheme has it all under a single LUKS container. I guess the information under https://osresearch.net/InstallingOS/#compatibility is not specific enough and could be improved, or the code could suggest found LUKS partitions only to confuse less the user.... Note that BRTFS is not supported within Heads. Only ext4 and TLVM (Thin LVM volume support without thin-lvm-tools). If needs be and tangent is to go torward XFS and BRTFS, we could try to add those tools as well. Note that #1446 is adding support for EXT4 repair tools and ExFat repair tools as well which is now the default for bought sdcards and thumb drives, where Thin LVMs are more and more despised for their added complexity which slows down disk operations.
Also, I'm not sure if https://osresearch.net/InstallingOS/#default-boot-and-disk-unlock is true anymore, since my testing with Talos II and debian invalidates the statement there saying that init doesn't process crypttab: it does, otherwise I would not be able to boot into my OS. @krystian-hebel you reported something similar. What is your partition scheme on Talos II's debian install?
The magic happening in the background here is:
@natterangell : So if only one LUKS container is overriden out of many, the final OS will ask for as many LUKS container it doesn't know how to unlock. Let me know if specifying both LUKS containers when setuping a TPM disk unlock key worked (it should: the logic parses those entries and will fail if the partition provided is not a LUKS drive, otherwise leaving slot 0 untouched (disk recovery key) and kills slot1 and then replaces slot 1 with the in-memory generated key corresponding to sealed secret in TPM, which TPM disk unlock key is unsealed with sealed measurements and NV region passphrase. This is why you type a different passphrase on Heads (TPM NV region passphrase to unlock TPM disk unlock key) then on Final OS (Disk recovery key). Hope this clarified everything. Would appreciate if you could do a PR on heads-wiki if that information is unclear to you.
Related: asked question to @marmarek at https://forum.qubes-os.org/t/btrfs-and-qubes-os/6967/28 to see if BRTFS was expected to become the default partition scheme over current TLVM default, since QubesOS is first citizen of Heads. But if all OSes are moving away of TLVM, Heads will need to choose what to support in kernel and on filesystem tools provided for recovery shell. Heads cannot support everything since we are limited in ROM space (until we can switch to squashfs/overlayfs, when: undefined).
The text was updated successfully, but these errors were encountered: