1877470 – Partitions encrypted in Kickstart fails to be unlocked by Clevis on boot

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1877470 - Partitions encrypted in Kickstart fails to be unlocked by Clevis on boot

Summary: Partitions encrypted in Kickstart fails to be unlocked by Clevis on boot

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	clevis
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Sergio Correia
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-09 17:21 UTC by nicolasoliver03
Modified:	2020-09-15 12:05 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-10 11:24:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description nicolasoliver03 2020-09-09 17:21:05 UTC

Description of problem:

Automatic unlock of partitions using clevis tpm pin does not work on RHEL Edge 8.3

The following kickstart configuration setup and encrypt:

# Disk Setup
zerombr
ignoredisk --only-use=sda
clearpart --drives=sda --all --initlabel

part /boot/efi --fstype=efi --grow --maxsize=200 --size=20
part /boot --fstype=ext4 --size=512
part pv.1 --size 1 --grow --fstype=ext4 --ondrive=sda

volgroup system pv.1
logvol / --fstype ext4 --vgname system --percent=20 --name=root
logvol swap --vgname system --percent=5 --name=swap
logvol /var/home --fstype ext4 --vgname system --percent=5 --name=home

%post --erroronfail --log=/root/disk-encryption-configuration.log
set -euxo pipefail
echo "system-swap /dev/system/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256" >> /etc/crypttab

lvcreate -y -l 20%VG -n opt system
printf "password" | cryptsetup -q luksFormat /dev/system/opt -d -
printf "password" | clevis luks bind -f -k- -d /dev/system/opt tpm2 '{}'
printf "password" | cryptsetup luksOpen /dev/system/opt c1 -d -
mkfs.ext4 /dev/mapper/c1
sleep 1
cryptsetup luksClose c1
echo "luks-system-opt /dev/system/opt none _netdev" >> /etc/crypttab
echo "/dev/mapper/luks-system-opt /var/opt ext4 defaults,_netdev  0 2" >> /etc/fstab
%end

The opt partition is encrypted using cryptsetup and clevis tpm pin.
On boot after installation, the password prompt appears as expected. Partitions are correctly unlocked and mounted after the password is provided.

To enable the auto unlocking functionality, do:

sudo systemctl enable clevis-luks-askpass@.path

And then reboot. The partition is not automatically unlocked, and you still need to type the password.
The service seems to not be running.
After applying the fix proposed in bug 1784084:

cat > /etc/systemd/system/clevis-luks-askpass@.path << EOF
[Unit]
Description=Clevis systemd-ask-password Watcher for %i
DefaultDependencies=no
Conflicts=shutdown.target
Before=cryptsetup.target

[Path]
DirectoryNotEmpty=/run/systemd/ask-password
MakeDirectory=yes

[Install]
WantedBy=cryptsetup.target
EOF

cat > /etc/systemd/system/clevis-luks-askpass@.service << EOF
[Unit]
Description=Clevis LUKS systemd-ask-password Responder for luks-%i
DefaultDependencies=no
Conflicts=shutdown.target
Before=shutdown.target

[Service]
ExecStart=/usr/libexec/clevis-luks-askpass -l
EOF

systemctl enable clevis-luks-askpass@.path

And then, reboot.
The password prompt is still there. But now I have 2 failed services

bash-4.4# systemctl list-units --state=failed
  UNIT                                   LOAD   ACTIVE SUB    DESCRIPTION                                                   
● clevis-luks-askpass      loaded failed failed Clevis LUKS systemd-ask-password Responder for luks-basic     
● clevis-luks-askpass loaded failed failed Clevis LUKS systemd-ask-password Responder for luks-cryptsetup

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

2 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

bash-4.4# journalctl -u clevis-luks-askpass
-- Logs begin at Wed 2020-09-09 09:49:13 PDT, end at Wed 2020-09-09 09:50:11 PDT. --
Sep 09 09:49:21 rhel-edge-1.mshome.net systemd[1]: Started Clevis LUKS systemd-ask-password Responder for luks-cryptsetup.
Sep 09 09:49:23 rhel-edge-1.mshome.net systemd[1]: clevis-luks-askpass: Main process exited, code=exited, status=1/FAILURE
Sep 09 09:49:23 rhel-edge-1.mshome.net systemd[1]: clevis-luks-askpass: Failed with result 'exit-code'.

bash-4.4# journalctl -u clevis-luks-askpass     
-- Logs begin at Wed 2020-09-09 09:49:13 PDT, end at Wed 2020-09-09 09:50:11 PDT. --
Sep 09 09:49:21 rhel-edge-1.mshome.net systemd[1]: Started Clevis LUKS systemd-ask-password Responder for luks-basic.
Sep 09 09:49:23 rhel-edge-1.mshome.net systemd[1]: clevis-luks-askpass: Main process exited, code=exited, status=1/FAILURE
Sep 09 09:49:23 rhel-edge-1.mshome.net systemd[1]: clevis-luks-askpass: Failed with result 'exit-code'

There is no much information available on the failure. 

Trying to manually unlock the partition also fails:

bash-4.4# umount /opt/
bash-4.4# cryptsetup luksClose /dev/mapper/luks-system-opt
bash-4.4# clevis luks unlock -d /dev/system/opt
/dev/system/opt could not be opened.

After adding some debugging statements in the clevis scripts

bash-4.4# rpm-ostree usroverlay

bash-4.4# diff /bin/clevis-luks-common-functions /bin/clevis-luks-common-functions.bak 
21,22d20
< set -x
< 
320,321c318
<     #if ! passphrase="$(clevis decrypt < <(echo -n "${jwe}") 2>/dev/null)" \
<     if ! passphrase="$(clevis decrypt < <(echo -n "${jwe}"))" \
---
>     if ! passphrase="$(clevis decrypt < <(echo -n "${jwe}") 2>/dev/null)" \

bash-4.4# clevis luks unlock -d /dev/system/opt
+ SUMMARY='Unlocks a LUKS volume'
+ '[' 2 -eq 1 ']'
+ getopts :d:n: o
+ case "$o" in
+ DEV=/dev/system/opt
+ getopts :d:n: o
+ '[' -z /dev/system/opt ']'
+ cryptsetup isLuks /dev/system/opt
++ cryptsetup luksUUID /dev/system/opt
+ NAME=luks-83544c87-e721-465d-bdef-e6a4ad7dccc8
++ clevis_luks_unlock_device /dev/system/opt
++ local DEV=/dev/system/opt
++ '[' -z /dev/system/opt ']'
++ local used_slots
+++ clevis_luks_used_slots /dev/system/opt
+++ local DEV=/dev/system/opt
+++ local slots
+++ cryptsetup isLuks --type luks1 /dev/system/opt
+++ cryptsetup isLuks --type luks2 /dev/system/opt
+++ readarray -t slots
++++ cryptsetup luksDump /dev/system/opt
++++ sed -rn 's|^\s+([0-9]+): luks2$|\1|p'
+++ echo 0 1
++ used_slots='0 1'
++ '[' -z '0 1' ']'
++ local slt pt
++ for slt in ${used_slots}
+++ clevis_luks_unlock_device_by_slot /dev/system/opt 0
+++ local DEV=/dev/system/opt
+++ local SLT=0
+++ '[' -z /dev/system/opt ']'
+++ '[' -z 0 ']'
+++ local jwe passphrase
++++ clevis_luks_read_slot /dev/system/opt 0
+++ jwe=
+++ return 1
++ pt=
++ continue
++ for slt in ${used_slots}
+++ clevis_luks_unlock_device_by_slot /dev/system/opt 1
+++ local DEV=/dev/system/opt
+++ local SLT=1
+++ '[' -z /dev/system/opt ']'
+++ '[' -z 1 ']'
+++ local jwe passphrase
++++ clevis_luks_read_slot /dev/system/opt 1
+++ jwe=eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlKVHI0OUdZSWRZM1d6WURwTE53TXFlMHVUMi11Z0R3elJoNEpmUWVDelpUQUJBNzBqdGhSWUFvcHEzT29URng2WEs0c3ctWnNNaWNXQmJVNnJMQkFBeHRsbFJrY0FxTnlzQ0V0YlBZQm5CMWdHSVFZTHBRUVRMOWl6TEs4NlJEblp5VVV6N2NxZURVLTlmT3JIMjRPQW52d0E1MG81dDJ6cGdwNnN4bHhpU1g1bDVZNWpjWFo4WExjcEFKUzFzR1RWTXhMWjlzQjJNelRlclpEYy1zSHBxblFWN1dPdEktWl9tdkYzeXlaNUpvX3pxcjA5N1ZlUXJ5dFF4Ylc2NWxUQlVuOVM4cVlya3ZORWtGOFFGU2dkTWx0Q0Nlc0RORTgtQW5KQ243U3FmMU1Da3I5c2tBU3RWb2JxYlQiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJRThHSmhxM1FCcmJfYVVPdVBIN0lfR2FNcXJVMldhcjhPOS0yeFd5RDRnbiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..iVY4_gtDgBonBYTC.EHrFkIu_AGsHw-Mf2AGGK2LUYysNw55WGkQwhEK00U7YpB4sC9eCy0Mmqiuffu5yQ2FcHFmgJw.PJITw2D_qjEH8Hh70NYsDQ
+++ '[' -z eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlKVHI0OUdZSWRZM1d6WURwTE53TXFlMHVUMi11Z0R3elJoNEpmUWVDelpUQUJBNzBqdGhSWUFvcHEzT29URng2WEs0c3ctWnNNaWNXQmJVNnJMQkFBeHRsbFJrY0FxTnlzQ0V0YlBZQm5CMWdHSVFZTHBRUVRMOWl6TEs4NlJEblp5VVV6N2NxZURVLTlmT3JIMjRPQW52d0E1MG81dDJ6cGdwNnN4bHhpU1g1bDVZNWpjWFo4WExjcEFKUzFzR1RWTXhMWjlzQjJNelRlclpEYy1zSHBxblFWN1dPdEktWl9tdkYzeXlaNUpvX3pxcjA5N1ZlUXJ5dFF4Ylc2NWxUQlVuOVM4cVlya3ZORWtGOFFGU2dkTWx0Q0Nlc0RORTgtQW5KQ243U3FmMU1Da3I5c2tBU3RWb2JxYlQiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJRThHSmhxM1FCcmJfYVVPdVBIN0lfR2FNcXJVMldhcjhPOS0yeFd5RDRnbiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..iVY4_gtDgBonBYTC.EHrFkIu_AGsHw-Mf2AGGK2LUYysNw55WGkQwhEK00U7YpB4sC9eCy0Mmqiuffu5yQ2FcHFmgJw.PJITw2D_qjEH8Hh70NYsDQ ']'
++++ clevis decrypt
+++++ echo -n eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlKVHI0OUdZSWRZM1d6WURwTE53TXFlMHVUMi11Z0R3elJoNEpmUWVDelpUQUJBNzBqdGhSWUFvcHEzT29URng2WEs0c3ctWnNNaWNXQmJVNnJMQkFBeHRsbFJrY0FxTnlzQ0V0YlBZQm5CMWdHSVFZTHBRUVRMOWl6TEs4NlJEblp5VVV6N2NxZURVLTlmT3JIMjRPQW52d0E1MG81dDJ6cGdwNnN4bHhpU1g1bDVZNWpjWFo4WExjcEFKUzFzR1RWTXhMWjlzQjJNelRlclpEYy1zSHBxblFWN1dPdEktWl9tdkYzeXlaNUpvX3pxcjA5N1ZlUXJ5dFF4Ylc2NWxUQlVuOVM4cVlya3ZORWtGOFFGU2dkTWx0Q0Nlc0RORTgtQW5KQ243U3FmMU1Da3I5c2tBU3RWb2JxYlQiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJRThHSmhxM1FCcmJfYVVPdVBIN0lfR2FNcXJVMldhcjhPOS0yeFd5RDRnbiIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..iVY4_gtDgBonBYTC.EHrFkIu_AGsHw-Mf2AGGK2LUYysNw55WGkQwhEK00U7YpB4sC9eCy0Mmqiuffu5yQ2FcHFmgJw.PJITw2D_qjEH8Hh70NYsDQ
WARNING:esys:src/tss2-esys/api/Esys_Load.c:320:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df) 
ERROR: Eys_Load(0x1DF) - tpm:parameter(1):integrity check failed
ERROR: Unable to run tpm2_load
Loading jwk to TPM2 failed!
+++ passphrase=
+++ return 1
++ pt=
++ continue
++ return 1
+ pt=
+ echo '/dev/system/opt could not be opened.'
/dev/system/opt could not be opened.
+ exit 1

The TPM error is now visible.

The workaround is to execute the unsealing outside of kickstart. 

printf "IntelDemo123!" | clevis luks bind -f -k- -d /dev/system/opt tpm2 '{}'

Now the /opt partition has 3 slots, slot 0 for passphrase, slot 1 for clevis in kickstart, slot 2 for clevis in userspace:

bash-4.4# cryptsetup luksDump /dev/system/opt
LUKS header information
Version:        2
Epoch:          7
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           ccb4212b-3231-4468-a3e6-8e8ea77cb25e
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2i
        Time cost:  4
        Memory:     1048576
        Threads:    2
        Salt:       bd fa ff b8 5c 52 04 96 f4 0e 0c b3 c2 f2 74 f6 
                    cd 17 75 6d 6d d4 d3 c0 13 cb 9c 27 ff 6e 2d 13 
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
  1: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2i
        Time cost:  4
        Memory:     1048576
        Threads:    2
        Salt:       f4 2e 26 af 59 32 fd 1a 91 35 85 0a 7c 49 83 b2 
                    7d 17 e8 bc c8 67 fa 0f b4 5d 84 ae 75 d9 90 b9 
        AF stripes: 4000
        AF hash:    sha256
        Area offset:290816 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
  2: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2i
        Time cost:  5
        Memory:     1048576
        Threads:    2
        Salt:       85 50 c2 d5 a6 4e 99 f3 f1 ad 23 3a bc 9b b5 4c 
                    b9 48 e4 93 25 a7 94 2b b1 95 26 47 10 ea 82 33 
        AF stripes: 4000
        AF hash:    sha256
        Area offset:548864 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
  0: clevis
        Keyslot:  1
  1: clevis
        Keyslot:  2
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 130549
        Salt:       fa de f5 1a 37 17 4c 95 78 08 2c f9 b6 ac c9 a1 
                    37 02 23 31 9e 87 0b e6 23 8b 36 5b 28 a0 51 ae 
        Digest:     69 cc db 00 10 c0 ff 9b c6 9a c8 dc 6f 0a 24 3d 
                    90 a3 6a b4 f8 16 4e 14 22 a3 d1 2b cf fe 66 3a


After reboot, the /opt partition is automatically unlocked
The service run and pass

[test@rhel-edge-1 ~]$ systemctl list-units --state failed
0 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

[test@rhel-edge-1 ~]$ journalctl -u clevis-luks-askpass
-- Logs begin at Wed 2020-09-09 10:11:34 PDT, end at Wed 2020-09-09 10:13:15 PDT. --
Sep 09 10:11:42 rhel-edge-1.mshome.net systemd[1]: Started Clevis LUKS systemd-ask-password Responder for luks-cryptsetup.
Sep 09 10:11:58 rhel-edge-1.mshome.net systemd[1]: clevis-luks-askpass: Succeeded.

So, there are 3 problems I am running:

1. Enabling the default clevis-luks-askpass@.path service does not trigger the auto unlocking
2. Applying the fix described in bug 1784084 triggers the auto unlocking, but fails if the partitions are encrypted during kickstart
3. Partitions encrypted on kickstart time cannot be manually unlocked

The workaround is to do the encryption setup outside of kickstart apparently

After adding debugging information and executing the unlocking manually, I can see that the Slot 1 fails with the same error, but Slot 2 worked

bash-4.4# clevis luks unlock -d /dev/system/opt
+ SUMMARY='Unlocks a LUKS volume'
+ '[' 2 -eq 1 ']'
+ getopts :d:n: o
+ case "$o" in
+ DEV=/dev/system/opt
+ getopts :d:n: o
+ '[' -z /dev/system/opt ']'
+ cryptsetup isLuks /dev/system/opt
++ cryptsetup luksUUID /dev/system/opt
+ NAME=luks-ccb4212b-3231-4468-a3e6-8e8ea77cb25e
++ clevis_luks_unlock_device /dev/system/opt
++ local DEV=/dev/system/opt
++ '[' -z /dev/system/opt ']'
++ local used_slots
+++ clevis_luks_used_slots /dev/system/opt
+++ local DEV=/dev/system/opt
+++ local slots
+++ cryptsetup isLuks --type luks1 /dev/system/opt
+++ cryptsetup isLuks --type luks2 /dev/system/opt
+++ readarray -t slots
++++ cryptsetup luksDump /dev/system/opt
++++ sed -rn 's|^\s+([0-9]+): luks2$|\1|p'
+++ echo 0 1 2
++ used_slots='0 1 2'
++ '[' -z '0 1 2' ']'
++ local slt pt
++ for slt in ${used_slots}
+++ clevis_luks_unlock_device_by_slot /dev/system/opt 0
+++ local DEV=/dev/system/opt
+++ local SLT=0
+++ '[' -z /dev/system/opt ']'
+++ '[' -z 0 ']'
+++ local jwe passphrase
++++ clevis_luks_read_slot /dev/system/opt 0
+++ jwe=
+++ return 1
++ pt=
++ continue
++ for slt in ${used_slots}
+++ clevis_luks_unlock_device_by_slot /dev/system/opt 1
+++ local DEV=/dev/system/opt
+++ local SLT=1
+++ '[' -z /dev/system/opt ']'
+++ '[' -z 1 ']'
+++ local jwe passphrase
++++ clevis_luks_read_slot /dev/system/opt 1
+++ jwe=eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlQTlRZTGVtYldXSktMRlk3NE1scXJzOEZkRGtOWFNJZ1VFWnN0UUVwZlcwQUJEZjRoS3J5WXlHWnNsZWl4bEpmY2xmRjBHRnpXdEZFTFRlOTBjaTZzZE93Q1BXSmhQNGVLZFBsM0E1ODN0SEhMUm12VlVaWmZqWkU0UnU2ZDZ0Ty1uTVo5VTg4My1wajlFZmRkTG5aZUZweDNFUW0tR3VtVzhxdmV5Z3JzbHVPRnJhbHhrcDhkdnY0X05Rd2xBNkR6OTJ4M3dtRkIzdERtM2ZiTy1vRmsyclZZRzlLVnFFTm9JWjZRenRkWE9jLWVZQWlCaGI4NkMwRFI0WlpnTW5ZNWdkX01QRkFEbG9zaVMyQVM0Y1hEQ0RpMjJDZloyTEFaUEI0WXZLWGw1cU93QXByT1pNbkFQMDEwQmQiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJSk5MVHFHMXBVWGoybHo4a1JTUENUc29MM2U4Vi0xUzVzSm9Mc1VCU2RFcSIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..xdc3hA-4GKWiYaMp.0jn2xdw-Up2uR6QckbV5U41dincGVL5B8TGzn928UH-oyKjIfHnJhiTpEo34C29iIEi2C4sC.stSi41RwPpfBrSoctfDJgg
+++ '[' -z eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlQTlRZTGVtYldXSktMRlk3NE1scXJzOEZkRGtOWFNJZ1VFWnN0UUVwZlcwQUJEZjRoS3J5WXlHWnNsZWl4bEpmY2xmRjBHRnpXdEZFTFRlOTBjaTZzZE93Q1BXSmhQNGVLZFBsM0E1ODN0SEhMUm12VlVaWmZqWkU0UnU2ZDZ0Ty1uTVo5VTg4My1wajlFZmRkTG5aZUZweDNFUW0tR3VtVzhxdmV5Z3JzbHVPRnJhbHhrcDhkdnY0X05Rd2xBNkR6OTJ4M3dtRkIzdERtM2ZiTy1vRmsyclZZRzlLVnFFTm9JWjZRenRkWE9jLWVZQWlCaGI4NkMwRFI0WlpnTW5ZNWdkX01QRkFEbG9zaVMyQVM0Y1hEQ0RpMjJDZloyTEFaUEI0WXZLWGw1cU93QXByT1pNbkFQMDEwQmQiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJSk5MVHFHMXBVWGoybHo4a1JTUENUc29MM2U4Vi0xUzVzSm9Mc1VCU2RFcSIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..xdc3hA-4GKWiYaMp.0jn2xdw-Up2uR6QckbV5U41dincGVL5B8TGzn928UH-oyKjIfHnJhiTpEo34C29iIEi2C4sC.stSi41RwPpfBrSoctfDJgg ']'
++++ clevis decrypt
+++++ echo -n eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlQTlRZTGVtYldXSktMRlk3NE1scXJzOEZkRGtOWFNJZ1VFWnN0UUVwZlcwQUJEZjRoS3J5WXlHWnNsZWl4bEpmY2xmRjBHRnpXdEZFTFRlOTBjaTZzZE93Q1BXSmhQNGVLZFBsM0E1ODN0SEhMUm12VlVaWmZqWkU0UnU2ZDZ0Ty1uTVo5VTg4My1wajlFZmRkTG5aZUZweDNFUW0tR3VtVzhxdmV5Z3JzbHVPRnJhbHhrcDhkdnY0X05Rd2xBNkR6OTJ4M3dtRkIzdERtM2ZiTy1vRmsyclZZRzlLVnFFTm9JWjZRenRkWE9jLWVZQWlCaGI4NkMwRFI0WlpnTW5ZNWdkX01QRkFEbG9zaVMyQVM0Y1hEQ0RpMjJDZloyTEFaUEI0WXZLWGw1cU93QXByT1pNbkFQMDEwQmQiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJSk5MVHFHMXBVWGoybHo4a1JTUENUc29MM2U4Vi0xUzVzSm9Mc1VCU2RFcSIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..xdc3hA-4GKWiYaMp.0jn2xdw-Up2uR6QckbV5U41dincGVL5B8TGzn928UH-oyKjIfHnJhiTpEo34C29iIEi2C4sC.stSi41RwPpfBrSoctfDJgg
WARNING:esys:src/tss2-esys/api/Esys_Load.c:320:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df) 
ERROR: Eys_Load(0x1DF) - tpm:parameter(1):integrity check failed
ERROR: Unable to run tpm2_load
Loading jwk to TPM2 failed!
+++ passphrase=
+++ return 1
++ pt=
++ continue
++ for slt in ${used_slots}
+++ clevis_luks_unlock_device_by_slot /dev/system/opt 2
+++ local DEV=/dev/system/opt
+++ local SLT=2
+++ '[' -z /dev/system/opt ']'
+++ '[' -z 2 ']'
+++ local jwe passphrase
++++ clevis_luks_read_slot /dev/system/opt 2
+++ jwe=eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlFQVhzejloUmpKcGFud24yUWh4enVVd2RmR1Yxak1kVlVqVEtjdENZcjE0QUJCWGI4VEtwWWYyRk1kenl1aWV5TE41ZC1hb3dHZVh0OUE0bWU1SmJ0VTI0QUhGZnY5Um92cFMxNnpVQm5vU3lfWm5OejJFQmRQLVg3SUYyTlA2aUM4LTVFQnprVHVyU2dBdmk5ME92ZHBLTm9hRkVndFNXRFpGN3RpQ0JvVXRsaXNZVFFlSF9wYmpKZ0ZZYXd0V1VIV0piWjE2V3p0MDdBeWhybVlVUGo2Yk4xZ2R2NUhTZWVJblA2MDAyaExaaENoY1AyMVQ1WTFjNEFYcjhRdkt6RVRaTlB3OE9sQVh0WTRxUTg5eXpZLUhSa0RzeERLWi1yNnJRZEpGd0VSbFNQNHRsOGcyQmZ4ZThKUmkiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQWJMbmNCbnNHaklKcHV5eGxaYU1rUFl1SGdiWkZEQ2kwUmlfZ1FwQlBtcCIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..vXG6M5GX84nJKG3i.39wWygA46VrJ4-E81K7ucZpMeL02oHo0SnxOtdGynBuGNob9ttVRIxJFIZefkw9WGkcOEEMt.vdJHWGVgZ7NO0s0czO9Y0Q
+++ '[' -z eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlFQVhzejloUmpKcGFud24yUWh4enVVd2RmR1Yxak1kVlVqVEtjdENZcjE0QUJCWGI4VEtwWWYyRk1kenl1aWV5TE41ZC1hb3dHZVh0OUE0bWU1SmJ0VTI0QUhGZnY5Um92cFMxNnpVQm5vU3lfWm5OejJFQmRQLVg3SUYyTlA2aUM4LTVFQnprVHVyU2dBdmk5ME92ZHBLTm9hRkVndFNXRFpGN3RpQ0JvVXRsaXNZVFFlSF9wYmpKZ0ZZYXd0V1VIV0piWjE2V3p0MDdBeWhybVlVUGo2Yk4xZ2R2NUhTZWVJblA2MDAyaExaaENoY1AyMVQ1WTFjNEFYcjhRdkt6RVRaTlB3OE9sQVh0WTRxUTg5eXpZLUhSa0RzeERLWi1yNnJRZEpGd0VSbFNQNHRsOGcyQmZ4ZThKUmkiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQWJMbmNCbnNHaklKcHV5eGxaYU1rUFl1SGdiWkZEQ2kwUmlfZ1FwQlBtcCIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..vXG6M5GX84nJKG3i.39wWygA46VrJ4-E81K7ucZpMeL02oHo0SnxOtdGynBuGNob9ttVRIxJFIZefkw9WGkcOEEMt.vdJHWGVgZ7NO0s0czO9Y0Q ']'
++++ clevis decrypt
+++++ echo -n eyJhbGciOiJkaXIiLCJjbGV2aXMiOnsicGluIjoidHBtMiIsInRwbTIiOnsiaGFzaCI6InNoYTI1NiIsImp3a19wcml2IjoiQU80QUlFQVhzejloUmpKcGFud24yUWh4enVVd2RmR1Yxak1kVlVqVEtjdENZcjE0QUJCWGI4VEtwWWYyRk1kenl1aWV5TE41ZC1hb3dHZVh0OUE0bWU1SmJ0VTI0QUhGZnY5Um92cFMxNnpVQm5vU3lfWm5OejJFQmRQLVg3SUYyTlA2aUM4LTVFQnprVHVyU2dBdmk5ME92ZHBLTm9hRkVndFNXRFpGN3RpQ0JvVXRsaXNZVFFlSF9wYmpKZ0ZZYXd0V1VIV0piWjE2V3p0MDdBeWhybVlVUGo2Yk4xZ2R2NUhTZWVJblA2MDAyaExaaENoY1AyMVQ1WTFjNEFYcjhRdkt6RVRaTlB3OE9sQVh0WTRxUTg5eXpZLUhSa0RzeERLWi1yNnJRZEpGd0VSbFNQNHRsOGcyQmZ4ZThKUmkiLCJqd2tfcHViIjoiQUM0QUNBQUxBQUFFMGdBQUFCQUFJQWJMbmNCbnNHaklKcHV5eGxaYU1rUFl1SGdiWkZEQ2kwUmlfZ1FwQlBtcCIsImtleSI6ImVjYyJ9fSwiZW5jIjoiQTI1NkdDTSJ9..vXG6M5GX84nJKG3i.39wWygA46VrJ4-E81K7ucZpMeL02oHo0SnxOtdGynBuGNob9ttVRIxJFIZefkw9WGkcOEEMt.vdJHWGVgZ7NO0s0czO9Y0Q
+++ passphrase='!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
+++ '[' -z '!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0' ']'
+++ clevis_luks_is_key_valid /dev/system/opt '!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
+++ local DEV=/dev/system/opt
+++ local 'KEY=!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
+++ cryptsetup open --test-passphrase /dev/system/opt --key-file /dev/fd/63
++++ echo -n '!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
+++ return 0
+++ echo -n '!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
+++ return 0
++ pt='!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
++ '[' -z '!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0' ']'
++ echo -n '!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
++ return 0
+ pt='!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'
+ cryptsetup open -d- /dev/system/opt luks-ccb4212b-3231-4468-a3e6-8e8ea77cb25e
++ echo -n '!Yfc3rEbXyM(ArT4KALwYBm4sdysiHYSOr*ogENUDNimajyp4q(As0'

Version-Release number of selected component (if applicable):

I am using the rhel-8.3-beta-1-x86_64-boot.iso to install the Edge host.
The tpm-tools version in my blueprint is 4.1.1


How reproducible:

See above comment


Steps to Reproduce:
1. See above comment
2.
3.

Actual results:

Automatic unlocking does not work

Expected results:

Automatic unlocking should work without workarounds

Additional info:

Comment 1 Sergio Correia 2020-09-09 17:56:32 UTC

(In reply to nicolasoliver03 from comment #0)
> Description of problem:
> 
> Automatic unlock of partitions using clevis tpm pin does not work on RHEL
> Edge 8.3
> 
> The following kickstart configuration setup and encrypt:
> 

I will be trying your kickstart to reproduce the issue, but in the meantime, try the following, without changing the units:

> # Disk Setup
> zerombr
> ignoredisk --only-use=sda

[...]

> echo "luks-system-opt /dev/system/opt none _netdev" >> /etc/crypttab
> echo "/dev/mapper/luks-system-opt /var/opt ext4 defaults,_netdev  0 2" >>

1) Please, update your kickstart so that you do not add _netdev to either fstab or crypttab.

> /etc/fstab
> %end
> 
> The opt partition is encrypted using cryptsetup and clevis tpm pin.
> On boot after installation, the password prompt appears as expected.
> Partitions are correctly unlocked and mounted after the password is provided.
> 
> To enable the auto unlocking functionality, do:
> 
> sudo systemctl enable clevis-luks-askpass@.path

2) Do not enable this unit as is. Instead, enable a template of it using the UUID of the target devices. Something like:
systemctl enable clevis-luks-askpass@$(cryptsetup luksUUID /dev/system/opt).path

Once we rebase to clevis 14+, you will be able to enable clevis-luks-askpass.path and that should be enough and simpler.

> 
> And then reboot. The partition is not automatically unlocked, and you still
> need to type the password.

If you can try this and report back, that would be much appreciated.

Comment 2 nicolasoliver03 2020-09-09 18:18:04 UTC

bash-4.4# cat /etc/fstab 

#
# /etc/fstab
# Created by anaconda on Wed Sep  9 18:08:29 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/system-root /                       ext4    defaults        1 1
UUID=99a08701-83c3-4115-8725-327f499fd521 /boot                   ext4    defaults        1 2
UUID=A052-7D0D          /boot/efi               vfat    defaults,uid=0,gid=0,umask=077,shortname=winnt 0 2
/dev/mapper/system-home /var/home               ext4    defaults        1 2
/dev/mapper/system-swap none                    swap    defaults        0 0
/dev/mapper/luks-system-opt /var/opt ext4 defaults  0 2

bash-4.4# cat /etc/crypttab 
system-swap /dev/system/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256
luks-system-opt /dev/system/opt none

bash-4.4# systemctl enable clevis-luks-askpass@$(cryptsetup luksUUID /dev/system/opt).path
Created symlink /etc/systemd/system/basic.target.wants/clevis-luks-askpass → /usr/lib/systemd/system/clevis-luks-askpass@.path.

After reboot, same result. Auto unlocking service is failing

[test@rhel-edge-1 ~]$ systemctl list-units --state=failed
  UNIT                                                             LOAD   ACTIVE SUB    DESCRIPTION                                                                             
● clevis-luks-askpass loaded failed failed Clevis LUKS systemd-ask-password Responder for luks-a88acc6c-d787-4a77-ab6a-0003cb3a18f0

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

1 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

[test@rhel-edge-1 ~]$ journalctl -u clevis-luks-askpass
-- Logs begin at Wed 2020-09-09 11:15:13 PDT, end at Wed 2020-09-09 11:16:36 PDT. --
Sep 09 11:15:18 rhel-edge-1.mshome.net systemd[1]: Started Clevis LUKS systemd-ask-password Responder for luks-a88acc6c-d787-4a77-ab6a-0003cb3a18f0.
Sep 09 11:15:19 rhel-edge-1.mshome.net systemd[1]: clevis-luks-askpass: Main process exited, code=exited, status=1/FAILURE
Sep 09 11:15:19 rhel-edge-1.mshome.net systemd[1]: clevis-luks-askpass: Failed with result 'exit-code'.

Comment 3 nicolasoliver03 2020-09-09 19:08:46 UTC

Found the issue! I had a TPM provisioning script below that was clearing the TPM. 
I may have moved that after the disk encryption setup, so the TPM was being cleared after the encryption, and not before as intended

With this updated configuration everything works on RHEL Edge:

# Disk Setup
zerombr
ignoredisk --only-use=vda
clearpart --drives=vda --all --initlabel

part /boot/efi --fstype=efi --grow --maxsize=200 --size=20
part /boot --fstype=ext4 --size=512
part pv.1 --size 1 --grow --fstype=ext4 --ondrive=vdavolgroup system pv.1logvol / --fstype ext4 --vgname system --percent=20 --name=root
logvol swap --vgname system --percent=5 --name=swap
logvol /var/home --fstype ext4 --vgname system --percent=5 --name=home

# TPM Provisioning
%post --erroronfail --log=/root/tpm-provisioning.log
set -euxo pipefail

tpm2_clear
mkdir -p /etc/tpm2
cd /etc/tpm2
tpm2_createek -c 0x81010001 -G rsa -u ek.pub
tpm2_createak -C 0x81010001 -c ak.ctx -G rsa -g sha256 -s rsassa
tpm2_evictcontrol -C o -c ak.ctx 0x81010002
tpm2_readpublic -c ak.ctx -f pem -o ak.pem > ak.yaml
cat ak.yaml | grep '^name:' | awk '{ print $2 }' > ak.name

tpm2_quote -c 0x81010002 -l sha256:0,1,2,3,4,5,6,7,8,9,10 \
        -m quote.message -s quote.signature -o quote.pcrs -g sha256

tpm2_checkquote -u ak.pem -m quote.message -s quote.signature \
        -f quote.pcrs -g sha256
%end

# Disk Encryption Configuration
%post --erroronfail --log=/root/disk-encryption-configuration.log
set -euxo pipefail
echo "system-swap /dev/system/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256" >> /etc/crypttab

lvcreate -y -l 20%VG -n opt system
printf "password" | cryptsetup -q luksFormat /dev/system/opt -d -
printf "password" | clevis luks bind -f -k- -d /dev/system/opt tpm2 '{}'
printf "password" | cryptsetup luksOpen /dev/system/opt c1 -d -
mkfs.ext4 /dev/mapper/c1
sleep 1
cryptsetup luksClose c1
echo "luks-system-opt /dev/system/opt none" >> /etc/crypttab
echo "/dev/mapper/luks-system-opt /var/opt ext4 defaults  0 2" >> /etc/fstab
systemctl enable clevis-luks-askpass@$(cryptsetup luksUUID /dev/system/opt).path
%end


I have removed the _netdev and enabled the correct service as recommended.

Thank you!

Comment 4 Sergio Correia 2020-09-10 11:24:22 UTC

(In reply to nicolasoliver03 from comment #3)
> Found the issue! I had a TPM provisioning script below that was clearing the
> TPM. 
> I may have moved that after the disk encryption setup, so the TPM was being
> cleared after the encryption, and not before as intended
> 
> With this updated configuration everything works on RHEL Edge:
> 

[...]

> 
> I have removed the _netdev and enabled the correct service as recommended.
> 
> Thank you!


Nice, that's great to hear. I will close this issue, then.

Note You need to log in before you can comment on or make changes to this bug.