search

fdo-rs / fido-device-onboard-rs

An implementation of the FIDO Device Onboard (FDO) spec written in Rust.
BSD 3-Clause "New" or "Revised" License
58 stars 32 forks source link

fdo-aio service failed to re-encrypt disk on fedora 39 #605

Closed yih-redhat closed 6 months ago

yih-redhat commented 7 months ago

Problem description: On a fedora 39, install fdo-admin-cli and start fdo-aio.service, then create iot-simplified-installer image and provision edge vm with it, login edge vm and check fdo client log, it shows failed to perform disk re-encryption Note: If do not use fdo-aio service, but use standalone fdo-rendezvous-server/fdo-owner-onboarding-server/fdo-manufacturing-server, it works as expected. For example, this test case works well on fedora 39, https://github.com/virt-s1/rhel-edge/blob/main/ostree-simplified-installer.sh#L27-L57

Reproduce steps:

  1. Prepare a fedora 39 machine, install osbuild-composer and fdo-admin-cli
  2. Configure disk encryption in fdo config file /etc/fdo/aio/configs/serviceinfo_api_server.yml [root@yih-f39-43243 ~]# cat /etc/fdo/aio/configs/serviceinfo_api_server.yml service_info: initial_user: username: fdouser sshkeys:
    • {PUB_KEY} files:
      • path: /etc/sudoers.d/fdouser source_path: /var/lib/fdo/fdouser commands: null diskencryption_clevis:
      • disk_label: /dev/vda3 reencrypt: true binding: pin: tpm2 config: '{}' additional_serviceinfo: null after_onboarding_reboot: false bind: 0.0.0.0:8083 service_info_auth_token: L9222oOWoE/CqdC86H7Rkixer6HFtfyX9m/djUFloSY= admin_auth_token: oCKtbbwfiwTJ4kZfPgXBnj2Hxl3pECFxknx4pgbCkWI= device_specific_store_driver: Directory: path: /etc/fdo/aio/stores/serviceinfo_api_devices
  3. Build an iot-simplified-installer image with blueprint like this: name = "installer" description = "A rhel-edge simplified-installer image" version = "0.0.1" modules = [] groups = [] [customizations] installation_device = "/dev/vda" [[customizations.user]] name = "simple" description = "Administrator account" password = "${EDGE_USER_PASSWORD_SHA512}" key = "${SSH_KEY_PUB}" home = "/home/simple/" groups = ["wheel"] [customizations.fdo] manufacturing_server_url="http://${FDO_SERVER_ADDRESS}:8080" diun_pub_key_insecure="true"
  4. Provision edge vm with this image as httpboot.
  5. Login edge vm, and check fdo client log: Jan 22 06:44:37 localhost.localdomain systemd[1]: Starting fdo-client-linuxapp.service - FDO client... Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.662Z INFO fdo_client_linuxapp > Found device credential at FileSystemPath { path: "/boot/device-credentials", deactivation_method: None } Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.719Z INFO fdo_client_linuxapp > Got TO2 addresses: ["http://10.0.188.165:8081", "http://2620:52:0:bc:60ad:5344:9114:7612:8081", "http://fe80::7d5f:fcee:1fbe:95d0:8081"] Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.719Z INFO fdo_client_linuxapp > Performing TO2 protocol, URL: "http://10.0.188.165:8081" Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.757Z INFO fdo_client_linuxapp::serviceinfo > Username is: fdouser Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.757Z INFO fdo_client_linuxapp::serviceinfo > Keys are present Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.757Z INFO fdo_client_linuxapp::serviceinfo > Creating file "/etc/sudoers.d/fdouser" with 32 bytes (mode 384) Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.766Z INFO fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.975Z ERROR fdo_client_linuxapp > ServiceInfo failed, error: Error processing returned serviceinfo Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Caused by: Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 0: Error executing clevis Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 1: Error executing disk encryption for disk label /dev/vda3 Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2: Error rebinding clevis Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 3: Error binding clevis Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 4: Failed to bind clevis: ExitStatus(unix_wait_status(256)), stdout: , stderr: Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Error: Password generation failed - required entropy too low for settings Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Unable to generate a new key Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Error adding new binding to /dev/vda3 Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]:
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.977Z ERROR fdo_client_linuxapp > Error performing TO2 ownership protocol Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Caused by: Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Error performing the ServiceInfo roundtrips with TO2 address http://10.0.188.165:8081 Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.977Z INFO fdo_client_linuxapp > Performing TO2 protocol, URL: "http://2620:52:0:bc:60ad:5344:9114:7612:8081" Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.992Z ERROR fdo_client_linuxapp > Error performing TO2 ownership protocol Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Caused by: Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 0: Error sending HelloDevice Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 1: Error performing request Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2: builder error: invalid port number Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 3: invalid port number with TO2 address http://2620:52:0:bc:60ad:5344:9114:7612:8081 Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.993Z INFO fdo_client_linuxapp > Performing TO2 protocol, URL: "http://fe80::7d5f:fcee:1fbe:95d0:8081" Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.006Z ERROR fdo_client_linuxapp > Error performing TO2 ownership protocol Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: Caused by: Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 0: Error sending HelloDevice Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 1: Error performing request Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2: builder error: invalid port number Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 3: invalid port number with TO2 address http://fe80::7d5f:fcee:1fbe:95d0:8081 Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.020Z ERROR fdo_client_linuxapp > Error performing TO1 with ServiceClient { protocol_version: Version1_1, base_url: "http://2620:52:0:bc:60ad:5344:9114:7612:8082", client: Client { accepts: Accepts, proxies: [Proxy(System({}), None)], referer: true, default_headers: {"accept": "/"} }, authorization_token: None, encryption_keys: EncryptionKeys { cipher_suite: None, keys: None }, last_message_type: Some(Error), non_interoperable_kdf_required: None } Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.021Z ERROR fdo_client_linuxapp > Error Couldn't get TO1 from any Rendezvous server! getting usable To1d from rv_entry RendezvousInterpretedDirective { ip_addresses: Some([IPAddress(2620:52:0:bc:60ad:5344:9114:7612)]), dns_name: None, port: 8082, server_certificate_hash: None, ca_certificate_hash: None, user_input: false, wifi_ssid: None, wifi_password: None, medium: None, protocol: Http, delay: 0, bypass: false } Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.035Z ERROR fdo_client_linuxapp > Error performing TO1 with ServiceClient { protocol_version: Version1_1, base_url: "http://fe80::7d5f:fcee:1fbe:95d0:8082", client: Client { accepts: Accepts, proxies: [Proxy(System({}), None)], referer: true, default_headers: {"accept": "/"} }, authorization_token: None, encryption_keys: EncryptionKeys { cipher_suite: None, keys: None }, last_message_type: Some(Error), non_interoperable_kdf_required: None } Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.035Z ERROR fdo_client_linuxapp > Error Couldn't get TO1 from any Rendezvous server! getting usable To1d from rv_entry RendezvousInterpretedDirective { ip_addresses: Some([IPAddress(fe80::7d5f:fcee:1fbe:95d0)]), dns_name: None, port: 8082, server_certificate_hash: None, ca_certificate_hash: None, user_input: false, wifi_ssid: None, wifi_password: None, medium: None, protocol: Http, delay: 0, bypass: false }
  6. Check disk encryption status, it's not encrypted. [simple@localhost ~]$ sudo cryptsetup luksDump /dev/vda3 LUKS header information Version: 2 Epoch: 6 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: bdde839c-f948-46ab-a0c5-f42875b9e80e Label: crypt_root Subsystem: (no subsystem) Flags: (no flags)

Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: cipher_null-ecb sector: 512 [bytes]

Keyslots: 1: luks2 Key: 256 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: pbkdf2 Hash: sha256 Iterations: 1000 Salt: a3 08 1f e7 96 cc 97 f0 d1 a5 7d 71 6b bd 3d 55 75 f7 ea e2 b4 a4 65 78 31 1c e5 18 37 7a ae 36 AF stripes: 4000 AF hash: sha256 Area offset:163840 [bytes] Area length:131072 [bytes] Digest ID: 0 Tokens: 0: clevis Keyslot: 1 Digests: 0: pbkdf2 Hash: sha256 Iterations: 1000 Salt: cc f7 6e b1 2b ee bb 8c 80 bd d9 72 cf a8 1a b1 88 e0 e9 32 3b f4 4d 43 7a a7 60 39 02 cb 71 da Digest: f4 8f 33 c4 d0 33 6f 6e 62 df 58 25 2a 84 14 3c d1 0a 69 45 7a 11 f7 96 27 6b 06 d6 28 b8 c3 eb

yih-redhat commented 7 months ago

@7flying Could you please take a look of this bug?

7flying commented 7 months ago

@yih-redhat can you give me the versions of the FDO packages? I'm going to try to reproduce it out of composer first.

yih-redhat commented 7 months ago

[root@yih-f39-43243 ~]# rpm -qa|grep fdo fdo-rendezvous-server-0.4.12-6.fc39.x86_64 fdo-owner-onboarding-server-0.4.12-6.fc39.x86_64 fdo-owner-cli-0.4.12-6.fc39.x86_64 fdo-manufacturing-server-0.4.12-6.fc39.x86_64 fdo-init-0.4.12-6.fc39.x86_64 fdo-client-0.4.12-6.fc39.x86_64 fdo-admin-cli-0.4.12-6.fc39.x86_64

7flying commented 6 months ago

@yih-redhat do you have the logs from the rendezvous-server? and owner-onboarding server. Thanks

7flying commented 6 months ago

What I'm consistently getting are errors like this one:

 2024-02-05T11:12:12.572Z WARN  fdo_serviceinfo_api_server > Request with invalid auth token
yih-redhat commented 6 months ago

@7flying I have reproduced this bug, and I will send you the env information in slack.

7flying commented 6 months ago

If we get the full log we see that is a selinux denial:

[simple@localhost ~]$ journalctl | grep fdo
Feb 12 09:26:14 localhost.localdomain systemd[1]: Starting fdo-client-linuxapp.service - FDO client...
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.137Z INFO  fdo_client_linuxapp > Found device credential at FileSystemPath { path: "/boot/device-credentials", deactivation_method: None }
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.169Z INFO  fdo_client_linuxapp > Got TO2 addresses: ["http://192.168.1.49:8081", "http://10.45.226.7:8081", "http://fe80::67bb:6b28:931f:f36e:8081", "http://2620:52:0:2de0::1206:8081", "http://fe80::8a46:e9f0:8599:84d9:8081"]
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.169Z INFO  fdo_client_linuxapp > Performing TO2 protocol, URL: "http://192.168.1.49:8081"
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.209Z INFO  fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.321Z ERROR fdo_client_linuxapp              > ServiceInfo failed, error: Error processing returned serviceinfo
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]: Caused by:
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     0: Error executing clevis
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     1: Error executing disk encryption for disk label /dev/vda3
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     2: Error rebinding clevis
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     3: Error binding clevis
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     4: Failed to bind clevis: ExitStatus(unix_wait_status(256)), stdout: , stderr:
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        Error: Password generation failed - required entropy too low for settings
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        Unable to generate a new key
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        Error adding new binding to /dev/vda3
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.323Z ERROR fdo_client_linuxapp              > Error performing TO2 ownership protocol
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]: Caused by:
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     Error performing the ServiceInfo roundtrips with TO2 address http://192.168.1.49:8081
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.323Z INFO  fdo_client_linuxapp              > Performing TO2 protocol, URL: "http://10.45.226.7:8081"
7flying commented 6 months ago

Added BZ in Fedora's selinux-policies: https://bugzilla.redhat.com/show_bug.cgi?id=2263852

7flying commented 6 months ago

@yih-redhat in your simplified-installer the fdo-client version is [simple@localhost ~]$ rpm -qa | grep fdo fdo-client-0.4.12-4.fc39.x86_64 fdo-owner-cli-0.4.12-4.fc39.x86_64

not fdo-client-0.4.12-6

the issue is not present in 0.4.12-6

nullr0ute commented 6 months ago

the issue is not present in 0.4.12-6

Are we sure? The difference between -4 and -6 builds was updated crate dependencies for CVEs. If the problem goes away it might mean a bug was fixed in a crate somewhere by luck but I would be surprised if that was the case.

7flying commented 6 months ago

the issue is not present in 0.4.12-6

Are we sure? The difference between -4 and -6 builds was updated crate dependencies for CVEs. If the problem goes away it might mean a bug was fixed in a crate somewhere by luck but I would be surprised if that was the case.

Yes, I can confirm that the problem is not present in 0.4.12-6. BUT, the root problem is that this bug report does not have the latest RPMS: Yi's iot-simplified-installer has:

$ rpm -qa | grep selinux-policy
selinux-policy-38.28-1.fc39.noarch
selinux-policy-targeted-38.28-1.fc39.noarch

$ rpm -qa | grep fdo
fdo-client-0.4.12-4.fc39.x86_64
fdo-owner-cli-0.4.12-4.fc39.x86_64

and I've built everything with latest:

[admin@localhost ~]$ rpm -qa | grep selinux-policy
selinux-policy-39.3-1.fc39.noarch
selinux-policy-targeted-39.3-1.fc39.noarch

[admin@localhost ~]$ rpm -qa | grep fdo
fdo-client-0.4.12-6.fc39.x86_64
fdo-owner-cli-0.4.12-6.fc39.x86_64

where the error is not present:

Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.144Z INFO  fdo_client_linuxapp > Got TO2 addresses: ["http://192.168.1.49:8081", "http://10.45.226.7:8081", "http://fe80::67bb:6b28:931f:f36e:8081", "http://2620:52:0:2de0::1206:8081", "http://fe80::8a46:e9f0:8599:84d9:8081"]
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.144Z INFO  fdo_client_linuxapp > Performing TO2 protocol, URL: "http://192.168.1.49:8081"
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.177Z INFO  fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.813Z INFO  fdo_client_linuxapp              > Secure Device Onboarding DONE
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.813Z INFO  fdo_client_linuxapp              > Reboot required? false
Feb 12 13:43:04 localhost.localdomain systemd[1]: fdo-client-linuxapp.service: Deactivated successfully.
Feb 12 13:43:04 localhost.localdomain systemd[1]: Finished fdo-client-linuxapp.service - FDO client.
^C
bash-5.2# cryptsetup luksDump /dev/vda3
LUKS header information
Version:        2
Epoch:          13
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           91f04dd7-6325-4499-a86f-667c7a9eabcb
Label:          crypt_root
Subsystem:      (no subsystem)
Flags:          (no flags)
Requirements:   online-reencrypt-v2 

Data segments:
  0: crypt
    offset: 16777216 [bytes]
    length: (whole device)
    cipher: cipher_null-ecb
    sector: 512 [bytes]

  1: crypt
    offset: 16777216 [bytes]
    length: (whole device)
    cipher: cipher_null-ecb
    sector: 512 [bytes]
    flags : backup-previous

  2: crypt
    offset: 16777216 [bytes]
    length: (whole device)
    cipher: aes-xts-plain64
    sector: 512 [bytes]
    flags : backup-final

Keyslots:
  0: luks2
    Key:        256 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      pbkdf2
    Hash:       sha256
    Iterations: 1000
    Salt:       e3 53 3f 16 fc d3 eb c7 26 1f bb de e5 68 a0 c6 
                d0 b7 22 86 9f 87 4c 48 d9 f2 a8 04 66 26 d7 25 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:32768 [bytes]
    Area length:131072 [bytes]
    Digest ID:  0
  1: luks2 (unbound)
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      pbkdf2
    Hash:       sha256
    Iterations: 1000
    Salt:       5d 3e 85 9b 55 b9 00 f0 c9 a1 d9 6c 5d 74 ca 5a 
                1a 35 c7 d4 36 01 2b 29 9a ff 76 30 21 22 a1 4e 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:163840 [bytes]
    Area length:258048 [bytes]
    Digest ID:  1
  2: reencrypt (unbound)
    Key:        8 bits
    Priority:   ignored
    Mode:       reencrypt
    Direction:  forward
    Resilience: checksum
    Hash:       sha256
    Hash data:  512 [bytes]
    Area offset:421888 [bytes]
    Area length:16355328 [bytes]
    Digest ID:  2
Tokens:
  1: clevis
    Keyslot:    0
    Keyslot:    1
Digests:
  0: pbkdf2
    Hash:       sha256
    Iterations: 1000
    Salt:       8b 95 47 9e fd ca 84 18 29 c8 df 4c 2a 5a d6 dd 
                75 53 8c 58 b6 f4 e1 60 72 c6 5c d8 b0 f2 0b b0 
    Digest:     fa 80 04 62 86 d6 15 25 f1 c0 2a ae c3 11 13 ec 
                e9 7c 38 a1 64 87 12 90 ac 1e 6a c3 a1 66 c3 cb 
  1: pbkdf2
    Hash:       sha256
    Iterations: 1000
    Salt:       89 79 cd 7f 94 4f 05 89 72 bf 03 0b 84 18 b1 9c 
                34 f9 a9 82 26 12 b3 2c 6c 50 69 0f 8c 9c fb 1a 
    Digest:     11 a4 63 5d d9 40 5f 05 47 77 03 a6 b6 6d 03 1f 
                2f 57 40 1b 1c c6 93 54 7d 92 ff 82 6e da 94 48 
  2: pbkdf2
    Hash:       sha256
    Iterations: 1000
    Salt:       61 25 49 bb 07 50 08 ec 68 f8 36 b9 c1 75 81 dc 
                2c 18 07 17 d8 01 ac 9c f5 78 a6 d2 0c 1f f1 26 
    Digest:     c9 1b 21 7c eb d3 75 8f 2c b7 12 c8 36 27 c2 4b 
                f6 e3 76 2e 14 48 96 19 bd 81 24 ac b8 ac 64 ac 
bash-5.2#

So, the error is just present with this combo:

$ rpm -qa | grep selinux-policy
selinux-policy-38.28-1.fc39.noarch
selinux-policy-targeted-38.28-1.fc39.noarch

$ rpm -qa | grep fdo
fdo-client-0.4.12-4.fc39.x86_64
fdo-owner-cli-0.4.12-4.fc39.x86_64
7flying commented 6 months ago

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

nullr0ute commented 6 months ago

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

7flying commented 6 months ago

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

but, do we need a fix for an older revision when there is already a fix for the latest version?

nullr0ute commented 6 months ago

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

but, do we need a fix for an older revision when there is already a fix for the latest version?

No, the fix is to upgrade the selinux-policy

7flying commented 6 months ago

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

but, do we need a fix for an older revision when there is already a fix for the latest version?

No, the fix is to upgrade the selinux-policy

My point is that there also an upgraded selinux-policy that works.

7flying commented 6 months ago

closing this issue as the issue cannot be reproduced with the latest packages.