Open edcdavid opened 1 month ago
/proc/cmdline
reflects the kargs of the current boot. It will never change for the duration of that boot. Naturally, it will differ from what's in /boot/loader/
the minute you need to update settings for the next boot.
I think what you probably want here is a way to hook into ostree so that you can update the digests in the clevis token whenever the bootloader is updated. This is what is being discussed in https://github.com/ostreedev/ostree/issues/1903.
One question is around rollbacks, i.e. if a user selects an older entry in the boot menu. Does clevis support passing multiple allowed digests for a given register? Or probably a reasonable approach there is to just require manual unlocking of the LUKS device.
Also related are UKIs (https://github.com/ostreedev/ostree/issues/2753, https://github.com/coreos/fedora-coreos-tracker/issues/1719) which might be a better fit depending on your use case.
Describe the enhancement
This issue is to discuss ways to better support automatic LUKS disk descryption protected with PCR8 (kernel boot line validation) The kernel boot line (/proc/cmdline) does not seem to always reflect the current kernel boot line defined in /boot/loader/... . For instance, ostree cleanup and rpm-ostree apply-live would modify /boot/loader/... then only after the host is rebooted, the /proc/cmdline is updated by grub. The clevis command let users bind disk decryption to TPMv2 PCR registers. PCR register 8 measures the kernel bootline. If a disk is bound to a certain value of the boot line and it changes, it won't unlock unless the same bootline is used. If clevis is used after a call to ostree cleanup, the hash of the kernel bootline recorded in PCR 8 will be calculated based on the old bootloader value. Then when the host reboots and the TPM PCR 8 register is updated, it will not match with the value calculated before reboot and thus preventing disk unlock. The issue could be resolved by manually rebooting the host to align ostree, grub and the PCR8 hash in the TPM and then run clevis to bind the disk to the correct PCR8 value.
So to automate disk decryption with TPM PCR8, I could see the following solutions:
Thanks!
System details
No response
Additional information
No response