Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Automatic decryption of root volume stopped working
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
rogerroger
n00b
n00b


Joined: 24 May 2023
Posts: 6
PostPosted: Sat Jun 08, 2024 1:56 pm    Post subject: Automatic decryption of root volume stopped working Reply with quote
After updating my kernel from version 6.8.12 my root volume will no longer decrypt automatically. I've tried swapping the version of the kernel/efi file with a emerge --config sys-kernel/gentoo-kernel-bin and swapping out the versions (tried 6.8.10, 6.8.12, 6.9.2, 6.9.3). Neither 6.9 version works.

I'm using a bit of a custom setup with clevis binding the key to the tpm, booster to generate the initramfs and to automatically get the key on boot and decrypt my root volume and sbctl to create and bundle the final efi. This setup has worked without any issues for the last year. I've already tried rebinding the key in case something about my efi vars changed or similar but it didn't make a difference. Just changing the kernel version makes things work/break.

How would I best go about figuring out why this is happening?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22211
PostPosted: Sat Jun 08, 2024 4:57 pm    Post subject: Reply with quote
As I understand the typical use of TPMs, this is expected and desirable. You changed out the kernel, so when the kernel is measured into the TPM, you get the wrong measurement, and the TPM refuses to provide the key.

You wrote that you tried rebinding the key. What exactly did you do here?
Back to top
View user's profile Send private message
rogerroger
n00b
n00b


Joined: 24 May 2023
Posts: 6
PostPosted: Sat Jun 08, 2024 7:23 pm    Post subject: Reply with quote
The command used to regenerate the key was
Code:
clevis luks regen -d /dev/nvme0n1p3 -s 1
.
I rebuild the efi file and sign it automatically after every update. This has never been an issue until now.

The key is bound against registers 1,2,3 and 7 which correspond to
- Host platform configuration
- UEFI driver and application code
- UEFI driver and application configuration
- Secure boot policy
(see https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf 2.3.4)
This excludes boot loader configuration such as which kernel is booted.

To give a bit more info my setup looks a bit like this:
- portage updates gentoo-kernel-bin
- installkernel does my config bits:
- booster generates an initramfs
- sbctl creates an efi bundle
- sbctl signes said efi bundle

This mostly mirrors my old setup I had on archlinux and worked for previous updates. As the only thing changing between working and broken being the kernel version used I don't belive anything else in my setup is wrong.
So emerge --config '=sys-kernel/gentoo-kernel-bin-6.8.12' works, while emerge --config '=sys-kernel/gentoo-kernel-bin-6.9.3' doesn't work.
Back to top
View user's profile Send private message
rogerroger
n00b
n00b


Joined: 24 May 2023
Posts: 6
PostPosted: Sun Jun 09, 2024 2:12 pm    Post subject: Reply with quote
I went with the assumption that something about the kernel config changed recently and built the 6.9.2 kernel with the 6.8.12 config and my system unlocks normally again.

I executed the following command in /usr/src and installed gentoo-kernel-6.9.2.
Code:

diff --changed-group-format="%>" --unchanged-group-format="" linux-6.9.3-gentoo-dist/.config linux-6.8.12-gentoo-dist/.config | sudo tee /etc/kernel/config.d/50-test.config


I'm assuming one of those options needs to be enabled for this to work. What should my next step be?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22211
PostPosted: Sun Jun 09, 2024 3:30 pm    Post subject: Reply with quote
I suggest examining the help text for those options to see if any sound relevant to your problem. If not, then the next step would be to speculatively enable part of them, test, then either enable or disable as appropriate until you have bisected down to the specific option.
Back to top
View user's profile Send private message
rogerroger
n00b
n00b


Joined: 24 May 2023
Posts: 6
PostPosted: Sun Jul 07, 2024 6:59 pm    Post subject: Reply with quote
I spent a lot of time trying out different options but it either always worked or never worked.
Turns out that gentoo-kernel and gentoo-kernel-bin don't use the same config options and some of them are related to my issue...
In the end I gave up for now and after some fiddling got a working solution with dracut (did you know that you need to install dracut before clevis for the necessary modules to get installed? I didn't).

I'm just gonna assume that this is bug is on booster and will look deeper into it in the future :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy