Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make openssl libtss2 tpm2 reproducible #1630

Merged
merged 6 commits into from
Apr 26, 2024
Merged

make openssl libtss2 tpm2 reproducible #1630

merged 6 commits into from
Apr 26, 2024

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Apr 3, 2024
edited
Loading

fixes #1616 directly.

Past work related to fixating pkg-config config correctly and limiting host system to bleed in builds fixed some previous issues as well, where this PR fixed CircleCI to use working dir of heads (as opposed to project in the past):
closes #734
closes #892

TODO:

  • Test extensively for tpm2 toolstack regression. Under qemu-tpm2 boards, I could see quickly warnings about public key counterpart not being valid, but didn't see any regression for selaing/unsealing ops up to DUK sealing/unsealing. make openssl libtss2 tpm2 reproducible #1630 (comment)

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 3, 2024

@JonathonHall-Purism more testing needed but leaving here to provide diffoscope output and discuss approaches taken.
Prefer sed here to patches if possible. And would love to generalize this to other patches that are hard to maintain on version bumps.

This also bumps tpm2-tools to 5.2 (was more then needed) and tpm2-tss to 3.2.2

@tlaurion
Makefile: add real.gitclean target which calls 'git clean -fxd'
18e7be8 
Ease cleaning up everything. IMOH better then real.clean target

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by pe…
d7915e1 
…rl script contains reproducible date and fake compiler_flags

 hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
 patches/openssl-3.0.8.patch: clean up

tpm2-tools/tpm2-tss:
 hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
  Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.

CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds

TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
modules-tpm2-tools: bump from 5.2->5.6 (removes need to hack around P…
ddef233 
…ACKAGE_VERSION string which configure.ac points to ./VERSION already

tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
modules/tpm2-tss: sed configure script to remove hardcoding of libs, …
8208c86 
…move patch 3.2.0->3.2.2

disable static lib builds

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion tlaurion force-pushed the reproducible_openssl_libtss2_tpm2 branch from cf97b65 to 8208c86 Compare April 3, 2024 17:49
@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 3, 2024 

user@heads-tests-deb12-clean:~/heads$ wget -q https://output.circle-artifacts.com/output/job/3f422e66-2666-4919-a90f-7f62be0cf84e/artifacts/0/build/x86/nitropad-nv41/tools.cpio
user@heads-tests-deb12-clean:~/heads$ diffoscope tools.cpio build/x86/nitropad-nv41/tools.cpio
user@heads-tests-deb12-clean:~/heads$

final rom still not reproducible, but tools packed under tools.cpio are.

@tlaurion tlaurion assigned tlaurion and unassigned tlaurion Apr 3, 2024
@tlaurion tlaurion mentioned this pull request Apr 3, 2024
Closed
@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 3, 2024
edited
Loading

Replaying notes linuxboot/heads-wiki#70 (comment)

rm -f ./bad_hashes ./identical_hashes ./output_non_reproducible && grep / hashes.txt | awk -F " " '{print $1}'| while read hash; do grep -q $hash ~/heads/build/x86/nitropad-nv41/hashes.txt; if [ $? == 0 ]; then echo $hash >> ./identical_hashes; else echo $hash >> ./bad_hashes;fi;done; cat ./bad_hashes| while read bad; do grep $bad hashes.txt >> ./output_non_reproducible; done;
user@heads-tests-deb12-clean:~/heads$ cat output_non_reproducible 
ccb9cb8537ec2855876617ac7a4d9627d07ed0bdf2d76ce8c5ddec0549c8e7f7  /root/heads/build/x86/nitropad-nv41/heads-nitropad-nv41-v0.2.0-2050-g8208c86.rom

So coreboot part not reproducible (assembly of the rom) for nitropad-n41.
Everything else under hashes.txt are bit by bit equivalent on both CircleCI (debian-11) and local build (debian-12).

Will build other coreboot forks: purism/nitrokey and post results in next comment.

Seems like this PR (CircleCI path change to be heads not project) and past work makes other issues considered fixed as well. Modifying OP.

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 3, 2024 

user@heads-tests-deb12-clean:~/heads$ rm -f ./bad_hashes ./identical_hashes ./output_non_reproducible && grep / hashes.txt | awk -F " " '{print $1}'| while read hash; do grep -q $hash ~/heads/build/x86/x230-hotp-maximized/hashes.txt; if [ $? == 0 ]; then echo $hash >> ./identical_hashes; else echo $hash >> ./bad_hashes;fi;done; cat ./bad_hashes| while read bad; do grep $bad hashes.txt >> ./output_non_reproducible; done;
user@heads-tests-deb12-clean:~/heads$ cat output_non_reproducible 
5899863f847fa601f8edb112ec590f5efa757c8f098283dde1e9aefde8f5270c  /root/heads/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-2050-g8208c86-bottom.rom
5899863f847fa601f8edb112ec590f5efa757c8f098283dde1e9aefde8f5270c  /root/heads/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-2050-g8208c86-bottom.rom
5899863f847fa601f8edb112ec590f5efa757c8f098283dde1e9aefde8f5270c  /root/heads/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-2050-g8208c86-bottom.rom
5899863f847fa601f8edb112ec590f5efa757c8f098283dde1e9aefde8f5270c  /root/heads/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-2050-g8208c86-bottom.rom

top roms are the same. full rom is missing from output on both CI and local as #1534 states.
Bottom is different between CI and local for x230-hotp-maximized while everything else is the same.

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 3, 2024

Just realized that coreboot hardcodes CFLAGS_x86_64=-fdebug-prefix-map=/home/user/heads=heads.
Maybe that should be brought up to global Makefile to be passed to all modules so we do not have to care for modules doing the right thing or not?

@tlaurion

This comment has been minimized.

Sign in to view
@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 4, 2024
edited
Loading

Rebuilding CircleCI roms without cache. clean local build produced same result for librem_15v4, not sure what is happening here.

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 4, 2024 

user@heads-tests-deb12-clean:~/heads$ wget -q https://output.circle-artifacts.com/output/job/93e33ab8-7336-4776-bb08-b943ad5b3398/artifacts/0/build/x86/librem_14/hashes.txt -O hashes.txt
user@heads-tests-deb12-clean:~/heads$ rm -f ./bad_hashes ./identical_hashes ./output_non_reproducible && grep / hashes.txt | awk -F " " '{print $1}'| while read hash; do grep -q $hash ~/heads/build/x86/librem_14/hashes.txt; if [ $? == 0 ]; then echo $hash >> ./identical_hashes; else echo $hash >> ./bad_hashes;fi;done; cat ./bad_hashes| while read bad; do grep $bad hashes.txt >> ./output_non_reproducible; done;
user@heads-tests-deb12-clean:~/heads$ cat output_non_reproducible 
e7a241af225d0591eface3c212e12b139bfe8d6de40145f4b5647d93e2c5636e  /root/heads/build/x86/librem_14/heads-librem_14-v0.2.0-2050-g8208c86.rom

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 4, 2024 

user@heads-tests-deb12-clean:~/heads$ wget -q https://output.circle-artifacts.com/output/job/b7236410-3202-441e-aa15-fedf09627fb6/artifacts/0/build/x86/librem_15v4/hashes.txt -O hashes.txt
user@heads-tests-deb12-clean:~/heads$ rm -f ./bad_hashes ./identical_hashes ./output_non_reproducible && grep / hashes.txt | awk -F " " '{print $1}'| while read hash; do grep -q $hash ~/heads/build/x86/librem_15v4/hashes.txt; if [ $? == 0 ]; then echo $hash >> ./identical_hashes; else echo $hash >> ./bad_hashes;fi;done; cat ./bad_hashes| while read bad; do grep $bad hashes.txt >> ./output_non_reproducible; done;
user@heads-tests-deb12-clean:~/heads$ cat output_non_reproducible 
77d95bf358a3fede66dded0a77e4279eae9dbb6490133cf761ead12984b2ade3  /root/heads/build/x86/librem_15v4/heads-librem_15v4-v0.2.0-2050-g8208c86.rom

Ok opening another issue on coreboot reproducibility. My insight is that we modify coreboot build options compared to what coreboot tries to do reproducibily, keeping maybe not needed generally applied customizations that should only exist per board configs for old version (coreboot 4.11 artifacts maybe).

@JonathonHall-Purism this PR is ready for review, other traces above not relevant.

@tlaurion tlaurion mentioned this pull request Apr 4, 2024
Closed
@krystian-hebel
Copy link
Contributor

This also bumps tpm2-tools to 5.2

Be advised, command arguments between tpm2-tools versions are very unstable. Make sure that all invocations in scripts still work after updates.

@JonathonHall-Purism
Copy link
Collaborator

@tlaurion The changes here look fine to me (and they do reproduce correctly for me 🥳 ) but of course we need to test it. Thanks for the heads-up @krystian-hebel .

What testing have you done so far?

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 8, 2024
edited
Loading

I tested over qemu-tpm2 and saw only warning for tpm about verifying pubkey? Sealing/unsealing ops worked up to DUK sealing/unsealing.

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 9, 2024

tlaurion/heads contained a release 5.0.1 that was aimed to prepare a version somewhere in the past. I deleted that release tag.
Rebuilding clean.

@tlaurion
modules/tpm2-tools: Add TODO to uniformize live patching through sed …
be71430 
…calls as opposed to patch version specific autotools/configure scripts to force reproducible builds

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion tlaurion force-pushed the reproducible_openssl_libtss2_tpm2 branch from b31f340 to be71430 Compare April 9, 2024 16:39
@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 9, 2024
edited
Loading

@JonathonHall-Purism : added TODOs in modules/tpm2* so that sed approach can be uniformized for all other modules instead of maintaining patches which are version specific and high maintenance costs to maintain reproducible builds across version bumps.

Ready for review once CircleCI builds SHOULD produce local=CircleCI equivalent builds, hopefully.
You said something about busybox not being reproducible? Deserves another issue with milestone "reproduciblebuilds" in.
Edit: that was #1633 (comment)

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 9, 2024
edited
Loading

@tlaurion The changes here look fine to me (and they do reproduce correctly for me 🥳 ) but of course we need to test it. Thanks for the heads-up @krystian-hebel .

What testing have you done so far?

!!! Hit enter to proceed to recovery shell !!!
[    6.948393] TRACE: /bin/setconsolefont.sh(6): main
[    6.971282] DEBUG: Board does not ship setfont, not checking console font
[    7.135273] TRACE: /bin/gui-init(642): main
[    7.155344] TRACE: /etc/functions(634): detect_boot_device
[    7.198025] TRACE: /etc/functions(601): mount_possible_boot_device
[    7.231277] TRACE: /etc/functions(561): is_gpt_bios_grub
[    7.298998] TRACE: /dev/vda1 is partition 1 of vda
[    7.392673] TRACE: /etc/functions(538): find_lvm_vg_name
[    7.519171] TRACE: Try mounting /dev/vda1 as /boot
[    7.602494] exFAT-fs (vda1): invalid boot record signature
[    7.607563] exFAT-fs (vda1): failed to read boot sector
[    7.610356] exFAT-fs (vda1): failed to recognize exfat type
[    7.621420] exFAT-fs (vda1): invalid boot record signature
[    7.625151] exFAT-fs (vda1): failed to read boot sector
[    7.632786] exFAT-fs (vda1): failed to recognize exfat type
[    7.942197] TRACE: /etc/functions(601): mount_possible_boot_device
[    7.985172] TRACE: /etc/functions(561): is_gpt_bios_grub
[    8.050207] TRACE: /dev/vda2 is partition 2 of vda
[    8.164173] TRACE: /etc/functions(538): find_lvm_vg_name
[    8.327511] TRACE: Try mounting /dev/vda2 as /boot
[    8.433292] TRACE: /etc/functions(601): mount_possible_boot_device
[    8.482983] TRACE: /etc/functions(561): is_gpt_bios_grub
[    8.567719] TRACE: /dev/vda3 is partition 3 of vda
[    8.687169] TRACE: /etc/functions(538): find_lvm_vg_name
[    8.848818] TRACE: Try mounting /dev/vda3 as /boot
[    8.906066] EXT4-fs (vda3): mounted filesystem with ordered data mode. Opts: (null)
[    8.967516] TRACE: /bin/gui-init(316): clean_boot_check
[    9.101670] TRACE: /bin/gui-init(345): check_gpg_key
[    9.208455] TRACE: /bin/gui-init(183): update_totp
[    9.315308] TRACE: /bin/unseal-totp(8): main
[    9.409439] TRACE: /bin/tpmr(32): main
[    9.463608] TRACE: /bin/tpmr(552): tpm2_unseal
[    9.536541] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[    9.568373] DEBUG: tpm2_unseal: No primary handle, cannot attempt to unseal
[    9.593911]  *** WARNING: No TPM primary handle. You must reset TPM to seal secret to TPM NVRAM ***
[   10.628519]  !!! ERROR: Unable to unseal TOTP secret !!!
[   13.208812] TRACE: /bin/unseal-totp(8): main
[   13.271670] TRACE: /bin/tpmr(32): main
[   13.312145] TRACE: /bin/tpmr(552): tpm2_unseal
[   13.357454] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[   13.378376] DEBUG: tpm2_unseal: No primary handle, cannot attempt to unseal
[   13.396082]  *** WARNING: No TPM primary handle. You must reset TPM to seal secret to TPM NVRAM ***
[   14.448629]  !!! ERROR: Unable to unseal TOTP secret !!!
[   17.074386] TRACE: /bin/unseal-totp(8): main
[   17.158985] TRACE: /bin/tpmr(32): main
[   17.213566] TRACE: /bin/tpmr(552): tpm2_unseal
[   17.282934] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[   17.319672] DEBUG: tpm2_unseal: No primary handle, cannot attempt to unseal
[   17.353336]  *** WARNING: No TPM primary handle. You must reset TPM to seal secret to TPM NVRAM ***
[   18.388160]  !!! ERROR: Unable to unseal TOTP secret !!!
[   20.423124] DEBUG: CONFIG_TPM: y
[   20.445488] DEBUG: CONFIG_TPM2_TOOLS: y
[   20.480216] DEBUG: Show PCRs
[   20.594327] DEBUG:   sha256:
[   20.613461] 0 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.644351] 1 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.662518] 2 : 0xD02F7B2B74B5F96AB14D27CB9B2618823596A1EC3F4E8D83E9ADCC39465B4A63
[   20.683174] 3 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.705010] 4 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.725342] 5 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.746179] 6 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.776264] 7 : 0xAB681F0F9FF398B06BCB11379E40067FBE1F4E0ED3DEB64903DF3B42B040EFD9
[   20.792577] 8 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.811185] 9 : 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.833258] 10: 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.852561] 11: 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.873596] 12: 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.908297] 13: 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.923209] 14: 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.956764] 15: 0x0000000000000000000000000000000000000000000000000000000000000000
[   20.984803] 16: 0x0000000000000000000000000000000000000000000000000000000000000000
[   21.003654] 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[   21.028079] 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[   21.048995] 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[   21.067424] 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[   21.088336] 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[   21.115099] 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[   21.146982] 23: 0x0000000000000000000000000000000000000000000000000000000000000000
[  218.746766] TRACE: /bin/gui-init(252): update_hotp
[  218.786479] TRACE: /bin/gui-init(676): main
[  218.813521] TRACE: /bin/gui-init(392): show_main_menu
[  222.594980] TRACE: /bin/gui-init(425): show_options_menu
[  225.315712] TRACE: /bin/gui-init(514): show_tpm_totp_hotp_options_menu
[  227.469207] TRACE: /bin/gui-init(558): reset_tpm
[  228.171138] TRACE: /etc/functions(254): prompt_new_owner_password
[  235.482550] DEBUG: Caching TPM Owner Password to /tmp/secret/tpm_owner_password
[  235.551237] TRACE: /bin/tpmr(32): main
[  235.580785] TRACE: /bin/tpmr(632): tpm2_reset
[  235.611272] DEBUG: Caching TPM Owner Password to /tmp/secret/tpm_owner_password
[  236.707720] TRACE: /bin/tpmr(336): tpm2_startsession
[  237.615573] TRACE: /bin/gui-init(21): mount_boot
[  237.660003] EXT4-fs (vda3): re-mounted. Opts: (null)
[  237.677871]  *** WARNING: Removing rollback and primary handle hash under /boot ***
[  238.747511] TRACE: /etc/functions(278): check_tpm_counter
[  238.761307]  *** WARNING: /boot/kexec_rollback.txt does not exist; creating new TPM counter ***
[  239.900108] TRACE: /bin/tpmr(32): main
[  239.953922] TRACE: /bin/tpmr(307): tpm2_counter_create
[  239.982461] TRACE: /etc/functions(232): prompt_tpm_owner_password
[  240.021447] DEBUG: /tmp/secret/tpm_owner_password already cached in file. Reusing
[  240.404334] TRACE: /etc/functions(308): increment_tpm_counter
[  240.509922] TRACE: /bin/tpmr(32): main
[  240.561368] TRACE: /bin/tpmr(273): tpm2_counter_inc
[  241.172815] EXT4-fs (vda3): re-mounted. Opts: (null)
[  241.199976] TRACE: /bin/gui-init(154): generate_totp_hotp
[  241.311744] TRACE: /bin/seal-totp(10): main
[  241.389645] DEBUG: Sealing TOTP with actual state of PCR0-3
[  241.484084] TRACE: /bin/tpmr(32): main
[  241.537023] TRACE: /bin/tpmr(53): tpm2_pcrread
[  241.592295] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:0
[  241.749259] TRACE: /bin/tpmr(32): main
[  241.817252] TRACE: /bin/tpmr(53): tpm2_pcrread
[  241.877698] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:1
[  242.050173] TRACE: /bin/tpmr(32): main
[  242.098535] TRACE: /bin/tpmr(53): tpm2_pcrread
[  242.152829] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:2
[  242.321027] TRACE: /bin/tpmr(32): main
[  242.374629] TRACE: /bin/tpmr(53): tpm2_pcrread
[  242.435563] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:3
[  242.530104] DEBUG: Sealing TOTP with boot state of PCR4 (Going to recovery shell extends PCR4)
[  242.594183] TRACE: /bin/tpmr(32): main
[  242.626624] TRACE: /bin/tpmr(196): replay_pcr
[  242.733994] DEBUG: Replayed cbmem -L clean boot state of PCR=4 ALG=sha256 : 0000000000000000000000000000000000000000000000000000000000000000
[  242.770331] DEBUG: Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)
[  242.800512] DEBUG: Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)
[  242.866352] TRACE: /bin/tpmr(32): main
[  242.898943] TRACE: /bin/tpmr(53): tpm2_pcrread
[  242.941144] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:7
[  243.052457] TRACE: /bin/tpmr(32): main
[  243.093142] TRACE: /bin/tpmr(411): tpm2_seal
[  243.151735] DEBUG: tpm2_seal: file=/tmp/secret/totp.key handle=0x81004d47 pcrl=0,1,2,3,4,7 pcrf=/tmp/secret/pcrf.bin pass=<empty>
[  243.973451] TRACE: /etc/functions(232): prompt_tpm_owner_password
[  244.011124] DEBUG: /tmp/secret/tpm_owner_password already cached in file. Reusing
[  244.299575] DEBUG: tpm2 evictcontrol -Q -C o -P <hidden> -c /tmp/secret/totp.key.seal.ctx 0x81004d47
[  244.605130] DEBUG: Running at_exit handlers
[  244.626862] TRACE: /bin/tpmr(359): cleanup_session
[  244.661825] DEBUG: Clean up session: /tmp/secret/sealfile_trial.session
	[  258.299753] TRACE: /etc/functions(106): reseal_tpm_disk_decryption_key
[  258.339617] DEBUG: LUKS TPM Disk Unlock Key is allowed in board configs. Continuing
[  258.380016]  *** WARNING: LUKS TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret ***
[  259.456111] TRACE: /bin/kexec-seal-key(17): main
[  259.517872] DEBUG: Devices defined for disk encryption: /dev/vda4
[  259.539769] DEBUG: No LVM volume group defined for activation
[  259.655535] DEBUG:   sha256:
[  259.667199] 0 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.682054] 1 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.694970] 2 : 0xD02F7B2B74B5F96AB14D27CB9B2618823596A1EC3F4E8D83E9ADCC39465B4A63
[  259.711142] 3 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.731127] 4 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.744699] 5 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.758757] 6 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.773472] 7 : 0xAB681F0F9FF398B06BCB11379E40067FBE1F4E0ED3DEB64903DF3B42B040EFD9
[  259.800182] 8 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.824418] 9 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.860202] 10: 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.883315] 11: 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.906842] 12: 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.935576] 13: 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.960519] 14: 0x0000000000000000000000000000000000000000000000000000000000000000
[  259.982104] 15: 0x0000000000000000000000000000000000000000000000000000000000000000
[  260.006867] 16: 0x0000000000000000000000000000000000000000000000000000000000000000
[  260.029967] 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  260.058672] 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  260.081017] 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  260.109740] 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  260.131383] 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  260.154581] 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  260.181766] 23: 0x0000000000000000000000000000000000000000000000000000000000000000
[  272.973851]  !!! ERROR: Key passphrases do not match !!!
[  275.026323]  *** WARNING: Recovery Disk Encryption key passphrase/TPM Owner Password may be invalid. Please try again ***
[  276.158934] TRACE: /bin/kexec-seal-key(17): main
[  276.234661] DEBUG: Devices defined for disk encryption: /dev/vda4
[  276.266701] DEBUG: No LVM volume group defined for activation
[  276.403217] DEBUG:   sha256:
[  276.424527] 0 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.447407] 1 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.468117] 2 : 0xD02F7B2B74B5F96AB14D27CB9B2618823596A1EC3F4E8D83E9ADCC39465B4A63
[  276.490515] 3 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.513955] 4 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.532706] 5 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.554447] 6 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.589358] 7 : 0xAB681F0F9FF398B06BCB11379E40067FBE1F4E0ED3DEB64903DF3B42B040EFD9
[  276.619372] 8 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.649156] 9 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.682901] 10: 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.712234] 11: 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.742865] 12: 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.776785] 13: 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.809445] 14: 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.836717] 15: 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.866729] 16: 0x0000000000000000000000000000000000000000000000000000000000000000
[  276.902161] 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  276.925709] 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  276.953608] 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  276.981191] 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  277.010035] 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  277.038040] 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  277.071744] 23: 0x0000000000000000000000000000000000000000000000000000000000000000
[  291.348164] DEBUG: Checking number of slots used on /dev/vda4 LUKS header
[  291.475821] DEBUG: Number of slots used on /dev/vda4 LUKS header: 2
[  291.514687] DEBUG: Slot 1 is not the only existing slot on /dev/vda4 LUKS header.
[  291.549469] DEBUG: /dev/vda4 LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase
[  305.280741] TRACE: /bin/qubes-measure-luks(6): main
[  305.322604] DEBUG: Arguments passed to qubes-measure-luks: /dev/vda4
[  305.401637] DEBUG: Storing LUKS header for /dev/vda4 into /tmp/lukshdr-_dev_vda4
[  305.786262] DEBUG: Hashing LUKS headers into /tmp/luksDump.txt
[  306.286352] DEBUG: Removing /tmp/lukshdr-*
[  306.357207] DEBUG: Extending TPM PCR 6 with hash of LUKS headers from /tmp/luksDump.txt
[  306.450965] TRACE: /bin/tpmr(32): main
[  306.497531] TRACE: /bin/tpmr(232): tpm2_extend
[  306.636696] DEBUG: tpm2 pcrread sha256:6
[  306.820023] TRACE: /bin/tpmr(32): main
[  306.871371] TRACE: /bin/tpmr(53): tpm2_pcrread
[  306.924373] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:0
[  307.077991] TRACE: /bin/tpmr(32): main
[  307.132425] TRACE: /bin/tpmr(53): tpm2_pcrread
[  307.183385] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:1
[  307.321817] TRACE: /bin/tpmr(32): main
[  307.354624] TRACE: /bin/tpmr(53): tpm2_pcrread
[  307.387675] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:2
[  307.501597] TRACE: /bin/tpmr(32): main
[  307.539001] TRACE: /bin/tpmr(53): tpm2_pcrread
[  307.574022] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:3
[  307.680710] TRACE: /bin/tpmr(32): main
[  307.717542] TRACE: /bin/tpmr(196): replay_pcr
[  307.830682] DEBUG: Replayed cbmem -L clean boot state of PCR=4 ALG=sha256 : 0000000000000000000000000000000000000000000000000000000000000000
[  307.867414] DEBUG: Sealing LUKS TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)...
[  307.925280] TRACE: /bin/tpmr(32): main
[  307.969474] TRACE: /bin/tpmr(196): replay_pcr
[  308.123736] DEBUG: Replayed cbmem -L clean boot state of PCR=5 ALG=sha256 : 0000000000000000000000000000000000000000000000000000000000000000
[  308.174777] DEBUG: Precomputing TPM future value for PCR6 sealing/unsealing of LUKS TPM Disk Unlock Key...
[  308.272952] TRACE: /bin/tpmr(32): main
[  308.330323] TRACE: /bin/tpmr(196): replay_pcr
[  308.633600] DEBUG: Replayed cbmem -L clean boot state of PCR=6 ALG=sha256 : 3c2148b84651a056f844c2553147139a17c712de7ccae184b11e6643877cad05
[  308.731729] TRACE: /bin/tpmr(32): main
[  308.792450] TRACE: /bin/tpmr(53): tpm2_pcrread
[  308.854667] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:7
[  308.974773] DEBUG: tpmr seal /tmp/secret/secret.key 3 0,1,2,3,4,5,6,7 /tmp/secret/pcrf.bin 312 <hidden>
[  309.061539] TRACE: /bin/tpmr(32): main
[  309.117097] TRACE: /bin/tpmr(411): tpm2_seal
[  309.199520] DEBUG: tpm2_seal: file=/tmp/secret/secret.key handle=0x81000003 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin pass=<hidden>
[  310.228289] TRACE: /etc/functions(232): prompt_tpm_owner_password
[  310.273994] DEBUG: /tmp/secret/tpm_owner_password already cached in file. Reusing
[  310.568986] DEBUG: tpm2 evictcontrol -Q -C o -P <hidden> -c /tmp/secret/secret.key.seal.ctx 0x81000003
[  310.858301] DEBUG: Running at_exit handlers
[  310.881829] TRACE: /bin/tpmr(359): cleanup_session
[  310.909052] DEBUG: Clean up session: /tmp/secret/sealfile_trial.session
[  311.025280] EXT4-fs (vda3): re-mounted. Opts: (null)
[  311.083945] EXT4-fs (vda3): re-mounted. Opts: (null)
[  311.106327]  *** WARNING: LUKS header hash changed under /boot/kexec_luks_hdr_hash.txt ***
[  312.157074] TRACE: /etc/functions(389): update_checksums
[  312.218605] EXT4-fs (vda3): re-mounted. Opts: (null)
[  312.314151] TRACE: /bin/kexec-sign-config(7): main
[  312.349504] TRACE: /etc/functions(487): assert_signable
[  312.492206] TRACE: Under /etc/ash_functions:confirm_gpg_card
[  316.616897] TRACE: Under /etc/ash_functions:enable_usb
[  316.679618] TRACE: /sbin/insmod(9): main
[  316.792247] DEBUG: Extending TPM PCR 5 with /lib/modules/ehci-hcd.ko prior of usage
[  316.893164] TRACE: /bin/tpmr(32): main
[  316.951157] TRACE: /bin/tpmr(232): tpm2_extend
[  317.091443] DEBUG: tpm2 pcrread sha256:5
[  317.217797] DEBUG: Loading /lib/modules/ehci-hcd.ko with busybox insmod
[  317.266477] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[  317.364657] TRACE: /sbin/insmod(9): main
[  317.482568] DEBUG: Extending TPM PCR 5 with /lib/modules/uhci-hcd.ko prior of usage
[  317.549908] TRACE: /bin/tpmr(32): main
[  317.589144] TRACE: /bin/tpmr(232): tpm2_extend
[  317.686148] DEBUG: tpm2 pcrread sha256:5
[  317.777641] DEBUG: Loading /lib/modules/uhci-hcd.ko with busybox insmod
[  317.796937] uhci_hcd: USB Universal Host Controller Interface driver
[  317.867502] TRACE: /sbin/insmod(9): main
[  317.964520] DEBUG: Extending TPM PCR 5 with /lib/modules/ohci-hcd.ko prior of usage
[  318.023357] TRACE: /bin/tpmr(32): main
[  318.057527] TRACE: /bin/tpmr(232): tpm2_extend
[  318.140802] DEBUG: tpm2 pcrread sha256:5
[  318.232875] DEBUG: Loading /lib/modules/ohci-hcd.ko with busybox insmod
[  318.258630] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[  318.354225] TRACE: /sbin/insmod(9): main
[  318.508988] DEBUG: Extending TPM PCR 5 with /lib/modules/ohci-pci.ko prior of usage
[  318.598750] TRACE: /bin/tpmr(32): main
[  318.650201] TRACE: /bin/tpmr(232): tpm2_extend
[  318.777738] DEBUG: tpm2 pcrread sha256:5
[  318.910280] DEBUG: Loading /lib/modules/ohci-pci.ko with busybox insmod
[  318.929554] ohci-pci: OHCI PCI platform driver
[  321.057162] TRACE: /sbin/insmod(9): main
[  321.204035] DEBUG: Extending TPM PCR 5 with /lib/modules/ehci-pci.ko prior of usage
[  321.296366] TRACE: /bin/tpmr(32): main
[  321.356313] TRACE: /bin/tpmr(232): tpm2_extend
[  321.488263] DEBUG: tpm2 pcrread sha256:5
[  321.590259] DEBUG: Loading /lib/modules/ehci-pci.ko with busybox insmod
[  321.607477] ehci-pci: EHCI PCI platform driver
[  321.666684] TRACE: /sbin/insmod(9): main
[  321.766805] DEBUG: Extending TPM PCR 5 with /lib/modules/xhci-hcd.ko prior of usage
[  321.830288] TRACE: /bin/tpmr(32): main
[  321.872585] TRACE: /bin/tpmr(232): tpm2_extend
[  321.967501] DEBUG: tpm2 pcrread sha256:5
[  322.049777] DEBUG: Loading /lib/modules/xhci-hcd.ko with busybox insmod
[  322.121899] TRACE: /sbin/insmod(9): main
[  322.220834] DEBUG: Extending TPM PCR 5 with /lib/modules/xhci-pci.ko prior of usage
[  322.286571] TRACE: /bin/tpmr(32): main
[  322.322104] TRACE: /bin/tpmr(232): tpm2_extend
[  322.409002] DEBUG: tpm2 pcrread sha256:5
[  322.515268] DEBUG: Loading /lib/modules/xhci-pci.ko with busybox insmod
[  322.546290] xhci_hcd 0000:00:04.0: xHCI Host Controller
[  322.558264] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 1
[  322.564560] xhci_hcd 0000:00:04.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010
[  322.576207] hub 1-0:1.0: USB hub found
[  322.579736] hub 1-0:1.0: 4 ports detected
[  322.585701] xhci_hcd 0000:00:04.0: xHCI Host Controller
[  322.589087] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2
[  322.592632] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed
[  322.596514] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[  322.600772] hub 2-0:1.0: USB hub found
[  322.604857] hub 2-0:1.0: 4 ports detected
[  322.925446] usb 1-1: new high-speed USB device number 2 using xhci_hcd
[  323.229683] usb 2-2: new SuperSpeed Gen 1 USB device number 2 using xhci_hcd
[  323.389151] usb 1-3: new full-speed USB device number 3 using xhci_hcd
[  323.592354] usb 1-3: can't set config #1490 
[  323.592354] usb 1-3: can't set config #1, error -32

Where error -32 is linked with qubesos->qubes-usb-proxy->qemu which is unrelated to this PR/issue (requires shutdown of sys-usb qube + testing qube, passing usb Security dongle all over again and it normally succeeds).

It also seems that NK3 devices are more picky about timing, which some users reported the dongle not being discovered in time in OEM factory reset, sometimes resulting in the device not being detected recognised properly which results in OEM factory-reset/Re-Ownership failing.... EDIT: opened Nitrokey#48 (comment)

Testing on real hardware needed.

@tlaurion tlaurion mentioned this pull request Apr 9, 2024
Closed
@JonathonHall-Purism JonathonHall-Purism mentioned this pull request Apr 9, 2024
Closed
@JonathonHall-Purism
Copy link
Collaborator

I'll test it on L1UM v2 (TPM2) but it'll probably be late next week (rest of today/tomorrow is pretty booked and I am away Monday-Tuesday next week)

@tlaurion tlaurion changed the title WiP: make openssl libtss2 tpm2 reproducible make openssl libtss2 tpm2 reproducible Apr 11, 2024
@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 11, 2024
edited
Loading

TPM reset trace on qemu-whiptail-tpm2 (with debug traces), resealing TPM DUK since previously setup:

[   80.338296] TRACE: /bin/gui-init(425): show_options_menu
[   82.281240] TRACE: /bin/gui-init(514): show_tpm_totp_hotp_options_menu
[   84.502531] TRACE: /bin/gui-init(558): reset_tpm
[   85.052592] TRACE: /etc/functions(254): prompt_new_owner_password
[   92.758829] DEBUG: Caching TPM Owner Password to /tmp/secret/tpm_owner_password
[   92.828793] TRACE: /bin/tpmr(32): main
[   92.853298] TRACE: /bin/tpmr(632): tpm2_reset
[   92.881281] DEBUG: Caching TPM Owner Password to /tmp/secret/tpm_owner_password
[   94.032138] TRACE: /bin/tpmr(336): tpm2_startsession
[   94.933489] TRACE: /bin/gui-init(21): mount_boot
[   94.969279] EXT4-fs (vda3): re-mounted. Opts: (null)
[   94.989944]  *** WARNING: Removing rollback and primary handle hash under /boot ***
[   96.060603] TRACE: /etc/functions(278): check_tpm_counter
[   96.080751]  *** WARNING: /boot/kexec_rollback.txt does not exist; creating new TPM counter ***
[   97.153800] TRACE: /bin/tpmr(32): main
[   97.179680] TRACE: /bin/tpmr(307): tpm2_counter_create
[   97.200681] TRACE: /etc/functions(232): prompt_tpm_owner_password
[   97.219651] DEBUG: /tmp/secret/tpm_owner_password already cached in file. Reusing
[   97.454518] TRACE: /etc/functions(308): increment_tpm_counter
[   97.513642] TRACE: /bin/tpmr(32): main
[   97.557799] TRACE: /bin/tpmr(273): tpm2_counter_inc
[   97.999871] EXT4-fs (vda3): re-mounted. Opts: (null)
[   98.022506] TRACE: /bin/gui-init(154): generate_totp_hotp
[   98.104450] TRACE: /bin/seal-totp(10): main
[   98.154919] DEBUG: Sealing TOTP with actual state of PCR0-3
[   98.204602] TRACE: /bin/tpmr(32): main
[   98.230705] TRACE: /bin/tpmr(53): tpm2_pcrread
[   98.263620] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:0
[   98.363595] TRACE: /bin/tpmr(32): main
[   98.391412] TRACE: /bin/tpmr(53): tpm2_pcrread
[   98.421761] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:1
[   98.539072] TRACE: /bin/tpmr(32): main
[   98.569862] TRACE: /bin/tpmr(53): tpm2_pcrread
[   98.599756] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:2
[   98.706500] TRACE: /bin/tpmr(32): main
[   98.737523] TRACE: /bin/tpmr(53): tpm2_pcrread
[   98.768482] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:3
[   98.853387] DEBUG: Sealing TOTP with boot state of PCR4 (Going to recovery shell extends PCR4)
[   98.928474] TRACE: /bin/tpmr(32): main
[   98.968870] TRACE: /bin/tpmr(196): replay_pcr
[   99.094261] DEBUG: Replayed cbmem -L clean boot state of PCR=4 ALG=sha256 : 0000000000000000000000000000000000000000000000000000000000000000
[   99.129561] DEBUG: Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)
[   99.169294] DEBUG: Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)
[   99.249301] TRACE: /bin/tpmr(32): main
[   99.289703] TRACE: /bin/tpmr(53): tpm2_pcrread
[   99.331234] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:7
[   99.460592] TRACE: /bin/tpmr(32): main
[   99.504594] TRACE: /bin/tpmr(411): tpm2_seal
[   99.576699] DEBUG: tpm2_seal: file=/tmp/secret/totp.key handle=0x81004d47 pcrl=0,1,2,3,4,7 pcrf=/tmp/secret/pcrf.bin pass=<empty>
[  100.299516] TRACE: /etc/functions(232): prompt_tpm_owner_password
[  100.326343] DEBUG: /tmp/secret/tpm_owner_password already cached in file. Reusing
[  100.559223] DEBUG: tpm2 evictcontrol -Q -C o -P <hidden> -c /tmp/secret/totp.key.seal.ctx 0x81004d47
[  100.806161] DEBUG: Running at_exit handlers
[  100.832633] TRACE: /bin/tpmr(359): cleanup_session
[  100.869342] DEBUG: Clean up session: /tmp/secret/sealfile_trial.session
[  120.949453] TRACE: /etc/functions(106): reseal_tpm_disk_decryption_key
[  120.974785] DEBUG: LUKS TPM Disk Unlock Key is allowed in board configs. Continuing
[  121.013874]  *** WARNING: LUKS TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret ***
[  122.129319] TRACE: /bin/kexec-seal-key(17): main
[  122.195611] DEBUG: Devices defined for disk encryption: /dev/vda4
[  122.220139] DEBUG: No LVM volume group defined for activation
[  122.354295] DEBUG:   sha256:
[  122.371027] 0 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.390518] 1 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.409163] 2 : 0x727D12B94E63821B1FEFE29C0A4987B9465C6E4E40477ECD6B4D9C5469E95EDA
[  122.428728] 3 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.446031] 4 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.468954] 5 : 0xD76470232B7C3FD7D18D4DF3B77DACAFFDB876DBF3E84C996D74F7ECFA0FF60F
[  122.492958] 6 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.510726] 7 : 0x739ABECEA429B713189E5F55F120413B684CA232861545961CBD4BD7E4B05731
[  122.529039] 8 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.553379] 9 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.571348] 10: 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.592984] 11: 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.611471] 12: 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.623793] 13: 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.634686] 14: 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.649014] 15: 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.659421] 16: 0x0000000000000000000000000000000000000000000000000000000000000000
[  122.674954] 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  122.686598] 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  122.705813] 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  122.718553] 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  122.738047] 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  122.750938] 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  122.763262] 23: 0x0000000000000000000000000000000000000000000000000000000000000000
[  132.128727] DEBUG: Checking number of slots used on /dev/vda4 LUKS header
[  132.216335] DEBUG: Number of slots used on /dev/vda4 LUKS header: 2
[  132.232429] DEBUG: Slot 1 is not the only existing slot on /dev/vda4 LUKS header.
[  132.248379] DEBUG: /dev/vda4 LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase
[  154.055292] TRACE: /bin/qubes-measure-luks(6): main
[  154.078632] DEBUG: Arguments passed to qubes-measure-luks: /dev/vda4
[  154.127551] DEBUG: Storing LUKS header for /dev/vda4 into /tmp/lukshdr-_dev_vda4
[  154.471795] DEBUG: Hashing LUKS headers into /tmp/luksDump.txt
[  154.921392] DEBUG: Removing /tmp/lukshdr-*
[  154.979579] DEBUG: Extending TPM PCR 6 with hash of LUKS headers from /tmp/luksDump.txt
[  155.059827] TRACE: /bin/tpmr(32): main
[  155.101540] TRACE: /bin/tpmr(232): tpm2_extend
[  155.202400] DEBUG: tpm2 pcrread sha256:6
[  155.347764] TRACE: /bin/tpmr(32): main
[  155.393821] TRACE: /bin/tpmr(53): tpm2_pcrread
[  155.436666] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:0
[  155.566103] TRACE: /bin/tpmr(32): main
[  155.608833] TRACE: /bin/tpmr(53): tpm2_pcrread
[  155.651949] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:1
[  155.787090] TRACE: /bin/tpmr(32): main
[  155.827862] TRACE: /bin/tpmr(53): tpm2_pcrread
[  155.875352] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:2
[  156.007598] TRACE: /bin/tpmr(32): main
[  156.051336] TRACE: /bin/tpmr(53): tpm2_pcrread
[  156.098420] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:3
[  156.232893] TRACE: /bin/tpmr(32): main
[  156.275936] TRACE: /bin/tpmr(196): replay_pcr
[  156.403645] DEBUG: Replayed cbmem -L clean boot state of PCR=4 ALG=sha256 : 0000000000000000000000000000000000000000000000000000000000000000
[  156.440651] DEBUG: Sealing LUKS TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)...
[  156.530998] TRACE: /bin/tpmr(32): main
[  156.580561] TRACE: /bin/tpmr(196): replay_pcr
[  156.729172] DEBUG: Replayed cbmem -L clean boot state of PCR=5 ALG=sha256 : 0000000000000000000000000000000000000000000000000000000000000000
[  156.776715] DEBUG: Precomputing TPM future value for PCR6 sealing/unsealing of LUKS TPM Disk Unlock Key...
[  156.866316] TRACE: /bin/tpmr(32): main
[  156.915234] TRACE: /bin/tpmr(196): replay_pcr
[  157.177863] DEBUG: Replayed cbmem -L clean boot state of PCR=6 ALG=sha256 : a1f029595d584b3261b497f13a5d875a342dd5cc93fa8d49782650dcc651470c
[  157.281602] TRACE: /bin/tpmr(32): main
[  157.331419] TRACE: /bin/tpmr(53): tpm2_pcrread
[  157.383600] DEBUG: tpm2 pcrread -Q -o /dev/fd/63 sha256:7
[  157.491851] DEBUG: tpmr seal /tmp/secret/secret.key 3 0,1,2,3,4,5,6,7 /tmp/secret/pcrf.bin 312 <hidden>
[  157.566803] TRACE: /bin/tpmr(32): main
[  157.611050] TRACE: /bin/tpmr(411): tpm2_seal
[  157.689262] DEBUG: tpm2_seal: file=/tmp/secret/secret.key handle=0x81000003 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin pass=<hidden>
[  158.571158] TRACE: /etc/functions(232): prompt_tpm_owner_password
[  158.598954] DEBUG: /tmp/secret/tpm_owner_password already cached in file. Reusing
[  158.837474] DEBUG: tpm2 evictcontrol -Q -C o -P <hidden> -c /tmp/secret/secret.key.seal.ctx 0x81000003
[  159.091925] DEBUG: Running at_exit handlers
[  159.120373] TRACE: /bin/tpmr(359): cleanup_session
[  159.154397] DEBUG: Clean up session: /tmp/secret/sealfile_trial.session
[  159.285836] EXT4-fs (vda3): re-mounted. Opts: (null)
[  159.349740] EXT4-fs (vda3): re-mounted. Opts: (null)
[  159.377952]  *** WARNING: LUKS header hash changed under /boot/kexec_luks_hdr_hash.txt ***
[  160.431399] TRACE: /etc/functions(389): update_checksums
[  160.482911] EXT4-fs (vda3): re-mounted. Opts: (null)
[  160.559405] TRACE: /bin/kexec-sign-config(7): main
[  160.585587] TRACE: /etc/functions(487): assert_signable
[  160.715659] TRACE: Under /etc/ash_functions:confirm_gpg_card
[  167.439819] TRACE: Under /etc/ash_functions:enable_usb
[  167.517677] TRACE: /sbin/insmod(9): main
[  167.639328] DEBUG: /lib/modules/ehci-hcd.ko: already loaded
[  167.716127] TRACE: /sbin/insmod(9): main
[  167.834415] DEBUG: /lib/modules/uhci-hcd.ko: already loaded
[  167.911707] TRACE: /sbin/insmod(9): main
[  168.027443] DEBUG: /lib/modules/ohci-hcd.ko: already loaded
[  168.105558] TRACE: /sbin/insmod(9): main
[  168.229410] DEBUG: /lib/modules/ohci-pci.ko: already loaded
[  170.316536] TRACE: /sbin/insmod(9): main
[  170.437576] DEBUG: /lib/modules/ehci-pci.ko: already loaded
[  170.515850] TRACE: /sbin/insmod(9): main
[  170.637273] DEBUG: /lib/modules/xhci-hcd.ko: already loaded
[  170.718744] TRACE: /sbin/insmod(9): main
[  170.843794] DEBUG: /lib/modules/xhci-pci.ko: already loaded
[  181.535062] TRACE: /etc/functions(419): print_tree
[  181.630878] TRACE: /etc/functions(278): check_tpm_counter
[  181.691309] TRACE: /etc/functions(308): increment_tpm_counter
[  181.776604] TRACE: /bin/tpmr(32): main
[  181.817293] TRACE: /bin/tpmr(273): tpm2_counter_inc
[  187.855609] TRACE: /etc/functions(315): check_config
[  187.992170] TRACE: /bin/gpgv(5): main
[  188.174431] EXT4-fs (vda3): re-mounted. Opts: (null)
[  188.203733]  *** WARNING: Rebooting in 3 seconds to enable booting default boot option ***
[  192.283862] TRACE: Under /bin/reboot

This debug trace hides the warning I talked about previously (only regression noted by upgrading toolstack):
2024-04-11-160511
Which happens at each tpm2_start_session start.

@tlaurion
Copy link
Collaborator Author

@JonathonHall-Purism

diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
index 630454e1785..930413a50cf 100755
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@@ -346,10 +346,10 @@ tpm2_startsession() {
        tpm2 flushcontext -Q \
                --saved-session ||
                die "tpm2_flushcontext: unable to flush saved session"
-       tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
-       tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE"
-       tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE"
-       tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
+       DO_WITH_DEBUG tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
+       DO_WITH_DEBUG tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE"
+       DO_WITH_DEBUG tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE"
+       DO_WITH_DEBUG tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
 }
 
 # Use cleanup_session() with at_exit to release a TPM2 session and delete the

2024-04-11-161828

@tlaurion
Copy link
Collaborator Author

Rebasing on master...

@tlaurion
Copy link
Collaborator Author

@JonathonHall-Purism #1630 (comment)

So you want me to silence that warning before merging or you are ok doing that in another separate issue?

@JonathonHall-Purism
Copy link
Collaborator

@JonathonHall-Purism #1630 (comment)

So you want me to silence that warning before merging or you are ok doing that in another separate issue?

Do you have any idea what the warning means? It seems like we should not just ignore it, but maybe we are doing what it's warning us about

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 24, 2024
edited
Loading

@JonathonHall-Purism #1630 (comment)

So you want me to silence that warning before merging or you are ok doing that in another separate issue?

Do you have any idea what the warning means? It seems like we should not just ignore it, but maybe we are doing what it's warning us about

@JonathonHall-Purism my basic interpretation was that to use the public key side we would need to to other things, but we don't need it since we only seal?

@JonathonHall-Purism
Copy link
Collaborator

@tlaurion I think you can silence the warning.

TL;DR: I'm not sure why the warning only occurs now, it seems like it should have occurred before as well (but it didn't, confirmed on L1UM v2). However, the warning is intended to indicate that tpm2-tools can't prevent an MITM on the TPM with the information given, which is unchanged in this PR. We have some logic relating to this, which is also unchanged.

Maybe this new functionality could improve our MITM protection, but it's not trivial to fit into Heads IMO, I'll open a discussion. Again, it's unchanged in this PR other than the addition of the warning, as far as I can tell.

From the updated tpm2-startauthsession man page:

  * **-n**, **\--name**=_FILE_

    A name file as output from a tool like tpm2\_readpublic(1) `-n` option.
    The name file can be used to **verify** a persistent handle input for
    the `--tpmkey-context`, `-c`, and `--key-context` options. Verification
    that the object referenced by a peristent handle, e.g 0x81000000, is
    the key expected prevents attackers from performing a man-in-the-middle
    attack on session traffic.

There's a bit more context in the commit adding it: tpm2-software/tpm2-tools@1719eaf

Providing the name would prevent the warning, since tpm2-tools can be sure an MITM is not occurring.

(I also compared the rest of the man pages from 5.2 to 5.6, I don't see anything that would have changed meaning, since that was a concern raised.)

I don't see why we did not get this warning before (and we didn't, I just checked on L1UM v2). The warning was there, and the new logic doesn't cause it to appear when it wouldn't have before.

We do have some logic that is intended to identify a MITM on the TPM - kexec-save-default signs a digest of the primary handle, and kexec-select-boot checks it. This logic may be limited, but with the purpose being to avoid sending secret information to a TPM that may be MITM'd, I think it is fulfilling that. I'll open a discussion with more thoughts.

tlaurion added a commit to tlaurion/heads that referenced this pull request Apr 26, 2024
@tlaurion
tpmr: remove warning "Warn: check public portion of the tpmkey manually"
891f18b 
Discussed under linuxboot#1630 (comment)

TODO added in code.

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion tlaurion removed the request for review from JonathonHall-Purism April 26, 2024 06:37
@tlaurion
Copy link
Collaborator Author

@JonathonHall-Purism should do it

@JonathonHall-Purism JonathonHall-Purism merged commit 165f90a into linuxboot:master Apr 26, 2024
35 of 36 checks passed
tlaurion added a commit to tlaurion/heads that referenced this pull request Apr 26, 2024
@tlaurion
tpmr: remove warning "Warn: check public portion of the tpmkey manually"
4f15297 
Discussed under linuxboot#1630 (comment)

TODO added in code.

Signed-off-by: Thierry Laurion <[email protected]>
tlaurion added a commit to tlaurion/heads that referenced this pull request May 2, 2024
@tlaurion
tpmr: remove warning "Warn: check public portion of the tpmkey manually"
25d88f2 
Discussed under linuxboot#1630 (comment)

TODO added in code.

Signed-off-by: Thierry Laurion <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JonathonHall-Purism JonathonHall-Purism JonathonHall-Purism approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@tlaurion @krystian-hebel @JonathonHall-Purism