unlock passphrase doesn't work with Qubes kernel 6.6.2

[duncancmt]

This is copied over from linuxboot/heads#1545

Please identify some basic details to help process the report

A. Provide Hardware Details

1. What board are you using (see list of boards here)?

Novacustom NV41 (Nitrokey branded)

2. Does your computer have a dGPU or is it iGPU-only?

• [ ] dGPU
• [x] iGPU-only

3. Who installed Heads on this computer?

• [ ] Insurgo
• [x] Nitrokey
• [ ] Purism
• [ ] Other provider
• [ ] Self-installed

4. What PGP key is being used?

• [ ] Librem Key
• [ ] Nitrokey Pro 2
• [ ] Nitrokey Storage
• [ ] Yubikey
• [x] Other - Nitrokey 3A Mini

5. Are you using the PGP key to provide HOTP verification?

• [x] Yes
• [ ] No
• [ ] I don't know

B. Identify how the board was flashed

I deleted this section because I purchased this machine from Nitrokey

C. Identify the rom related to this bug report

1. Did you download or build the rom at issue in this bug report?

• [ ] I downloaded it
• [ ] I built it
• [x] System came pre-flashed

2. If you downloaded your rom, where did you get it from?

• [ ] Heads CircleCi
• [ ] Purism
• [x] Nitrokey
• [ ] Somewhere else (please identify)

Please provide the release number or otherwise identify the rom downloaded

Nitrokey heads v2.2

3. If you built your rom, which repository:branch did you use?

• [ ] Heads:Master
• [x] Other (please identify) Nitrokey/heads:v2.2

4. What version of coreboot did you use in building?

• [ ] 4.8.1 (current default in heads:master)
• [ ] 4.13
• [ ] 4.14
• [ ] 4.15
• [ ] Other (please specify)
• [x] I don't know

5. In building the rom where did you get the blobs?

• [ ] No blobs required
• [ ] Provided by the company that installed Heads on the device
• [ ] Extracted from a backup rom taken from this device
• [ ] Extracted from another backup rom taken from another device (please identify the board model)
• [ ] Extracted from the online bios using the automated tools provided in Heads
• [x] I don't know

Please describe the problem

Describe the bug

I did a dom0 update in Qubes and now the disk unlock passphrase doesn't work anymore. Kernel 6.5.8 works fine, but kernel 6.6.2 won't boot with the unlock passphrase, only the recovery passphrase. I presume something changed with dracut or the kernel boot process preventing concatenated cpios from overriding each other, but I have no idea how I would begin to go about debugging that.

To Reproduce Steps to reproduce the behavior:

1. Update Qubes dom0, installing kernel 6.6.2
2. Attempt to boot using the disk unlock passphrase
3. Observe that Plymouth still prompts for the recovery passphrase
4. Observe further that in the initramfs /etc/crypttab has not been patched and that /secret.key is missing

Expected behavior

Booting Qubes with the disk unlock passphrase does not prompt for the recovery passphrase. Also I would expect /etc/crypttab to be patched and /secret.key to be present in the initramfs if/when it drops into the OS recovery shell.

I apologize in advance if this should've gone in the Qubes forum.

[tlaurion]

Nitrokey disables TPM Disk unlock key in their board configurations as can be seen https://github.com/Nitrokey/heads/blob/nitropad-release-v2.2/boards%2Fnitropad-nv41%2Fnitropad-nv41.config#L50

[duncancmt]

Hmm... that's odd because I managed to get it set up with kexec-save-key in the recovery shell with the previous kernel, 6.5.8. Is that not supposed to work with that config flag toggled? Simply booting the old kernel makes the disk unlock key work fine. @tlaurion are you suggesting that I ought to switch to mainline Heads to pick up full support for the unlock key with kernel 6.6.2 on the NV41?

[tlaurion]

Testing this as part of PR https://github.com/linuxboot/heads/pull/1541

Works on default install of Q4.2 RC5 on x230-maximized. Fails on 6.6.2

[tlaurion]

user@heads-tests-deb12:~/heads$ grep -Rn DISK initrd/ | grep UNLOCK
grep: initrd/bin/kexec-select-boot:178:     [[ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" = "y" ]] && default_text="${default_text} and boot"
initrd/bin/kexec-save-default:190:if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then
initrd/bin/kexec-save-default:191:  DEBUG "TPM is enabled and TPM_NO_LUKS_DISK_UNLOCK is not set"
initrd/etc/mtab: No such file or directory
initrd/etc/functions:86:    if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" == "n" ]; then

If it works over NK 2.2, its a bug :)

[tlaurion]

Ok so @duncancmt you are right, something is wrong with newer kernel/initrd (failing 6.6.2 vs working 6.5.10)

First, journactl logs from dom0:

TPM_DUK_fail_6.6.2-1.log TPM_DUK_success_6.5.10-1.log

user@Insurgo:~$ diff -u <(grep crypt /media/user/Nitrokey/TPM_DUK_success_6.5.10-1.log) <(grep crypt /media/user/Nitrokey/TPM_DUK_fail_6.6.2-1.log)
--- /dev/fd/63  2023-12-11 10:38:36.073000000 -0500
+++ /dev/fd/62  2023-12-11 10:38:36.064000000 -0500
@@ -1,23 +1,30 @@
-Dec 11 10:17:14 localhost kernel: cryptd: max_cpu_qlen set to 1000
-Dec 11 10:17:14 localhost kernel: Key type .fscrypt registered
-Dec 11 10:17:14 localhost kernel: Key type fscrypt-provisioning registered
-Dec 11 10:17:14 localhost kernel: Key type encrypted registered
-Dec 11 10:17:14 localhost kernel: Freeing unused decrypted memory: 2036K
-Dec 11 10:17:14 localhost systemd[1]: Created slice system-systemd\x2dcryptsetup.slice - Slice /system/systemd-cryptsetup.
-Dec 11 10:17:16 localhost systemd[1]: Starting systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service - Cryptography Setup for luks-464e7720-22f7-4495-a02e-d77dc9396c28...
-Dec 11 10:17:16 localhost systemd-cryptsetup[451]: Key file /secret.key is world-readable. This is not a good idea!
-Dec 11 10:17:16 localhost systemd-cryptsetup[451]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/464e7720-22f7-4495-a02e-d77dc9396c28.
-Dec 11 10:17:16 localhost systemd-cryptsetup[451]: /secret.key has 0644 mode that is too permissive, please adjust the ownership and access mode.
-Dec 11 10:17:23 localhost audit[451]: DM_CTRL module=crypt op=ctr ppid=1 pid=451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" dev=253:0 error_msg='success' res=1
-Dec 11 10:17:23 localhost kernel: audit: type=1338 audit(1702307843.181:26): module=crypt op=ctr ppid=1 pid=451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" dev=253:0 error_msg='success' res=1
-Dec 11 10:17:23 localhost audit[451]: SYSCALL arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=c138fd09 a2=55f7d1b41cf0 a3=0 items=6 ppid=1 pid=451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" key=(null)
-Dec 11 10:17:23 localhost kernel: audit: type=1300 audit(1702307843.181:26): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=c138fd09 a2=55f7d1b41cf0 a3=0 items=6 ppid=1 pid=451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" key=(null)
-Dec 11 10:17:23 localhost systemd[1]: Finished systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service - Cryptography Setup for luks-464e7720-22f7-4495-a02e-d77dc9396c28.
-Dec 11 10:17:23 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
-Dec 11 10:17:23 localhost systemd[1]: Reached target cryptsetup.target - Local Encrypted Volumes.
-Dec 11 10:17:24 localhost systemd[1]: Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
-Dec 11 10:17:25 localhost systemd[1]: Stopped target remote-cryptsetup.target - Remote Encrypted Volumes.
-Dec 11 10:17:25 localhost systemd[1]: Stopped target cryptsetup.target - Local Encrypted Volumes.
-Dec 11 10:17:26 dom0 systemd[1]: Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
-Dec 11 10:17:29 dom0 systemd[1]: Reached target cryptsetup.target - Local Encrypted Volumes.
-Dec 11 10:19:06 dom0 sudo[3886]:     user : TTY=pts/6 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/cat /etc/crypttab
+Dec 11 10:10:59 dom0 kernel: cryptd: max_cpu_qlen set to 1000
+Dec 11 10:10:59 dom0 kernel: Key type .fscrypt registered
+Dec 11 10:10:59 dom0 kernel: Key type fscrypt-provisioning registered
+Dec 11 10:10:59 dom0 kernel: Key type encrypted registered
+Dec 11 10:10:59 dom0 kernel: Freeing unused decrypted memory: 2028K
+Dec 11 10:10:59 dom0 systemd[1]: Created slice system-systemd\x2dcryptsetup.slice - Slice /system/systemd-cryptsetup.
+Dec 11 10:11:01 dom0 systemd[1]: Starting systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service - Cryptography Setup for luks-464e7720-22f7-4495-a02e-d77dc9396c28...
+Dec 11 10:11:24 dom0 systemd-cryptsetup[449]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/464e7720-22f7-4495-a02e-d77dc9396c28.
+Dec 11 10:11:26 dom0 audit[449]: DM_CTRL module=crypt op=ctr ppid=1 pid=449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" dev=253:0 error_msg='success' res=1
+Dec 11 10:11:26 dom0 kernel: audit: type=1338 audit(1702307486.567:28): module=crypt op=ctr ppid=1 pid=449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" dev=253:0 error_msg='success' res=1
+Dec 11 10:11:26 dom0 audit[449]: SYSCALL arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=c138fd09 a2=64f0aed4f3f0 a3=0 items=6 ppid=1 pid=449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" key=(null)
+Dec 11 10:11:26 dom0 kernel: audit: type=1300 audit(1702307486.567:28): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=c138fd09 a2=64f0aed4f3f0 a3=0 items=6 ppid=1 pid=449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" key=(null)
+Dec 11 10:11:26 dom0 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
+Dec 11 10:11:26 dom0 systemd[1]: Finished systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service - Cryptography Setup for luks-464e7720-22f7-4495-a02e-d77dc9396c28.
+Dec 11 10:11:26 dom0 systemd[1]: Reached target cryptsetup.target - Local Encrypted Volumes.
+Dec 11 10:11:27 dom0 systemd[1]: Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
+Dec 11 10:11:28 dom0 systemd[1]: Stopped target remote-cryptsetup.target - Remote Encrypted Volumes.
+Dec 11 10:11:28 dom0 systemd[1]: Stopped target cryptsetup.target - Local Encrypted Volumes.
+Dec 11 10:11:29 dom0 systemd[1]: Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
+Dec 11 10:11:32 dom0 systemd[1]: Reached target cryptsetup.target - Local Encrypted Volumes.
+Dec 11 10:15:16 dom0 sudo[4160]:     user : TTY=pts/6 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/cat /etc/crypttab
+Dec 11 10:15:53 dom0 systemd[1]: Stopped target remote-cryptsetup.target - Remote Encrypted Volumes.
+Dec 11 10:16:09 dom0 systemd[1]: Stopped target cryptsetup.target - Local Encrypted Volumes.
+Dec 11 10:16:09 dom0 systemd[1]: Stopping systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service - Cryptography Setup for luks-464e7720-22f7-4495-a02e-d77dc9396c28...
+Dec 11 10:16:09 dom0 systemd-cryptsetup[4822]: Device luks-464e7720-22f7-4495-a02e-d77dc9396c28 is still in use.
+Dec 11 10:16:09 dom0 systemd-cryptsetup[4822]: Failed to deactivate: Device or resource busy
+Dec 11 10:16:09 dom0 systemd[1]: systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service: Control process exited, code=exited, status=1/FAILURE
+Dec 11 10:16:09 dom0 systemd[1]: systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service: Failed with result 'exit-code'.
+Dec 11 10:16:09 dom0 systemd[1]: Stopped systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28.service - Cryptography Setup for luks-464e7720-22f7-4495-a02e-d77dc9396c28.
+Dec 11 10:16:09 dom0 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-cryptsetup@luks\x2d464e7720\x2d22f7\x2d4495\x2da02e\x2dd77dc9396c28 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

@marmarek: Any idea?

[tlaurion]

Discussion will continue from this comment https://github.com/linuxboot/heads/issues/1545#issuecomment-1850495995 on. (NOT HERE)

[tlaurion]

Note that upstream issue has been opened at https://github.com/QubesOS/qubes-issues/issues/8763

[tlaurion]

Fixed. See details https://github.com/QubesOS/qubes-issues/issues/8763 and associated https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-098-2023.txt

@daringer you can close.