search

fedora-silverblue / issue-tracker

Fedora Silverblue issue tracker
https://fedoraproject.org/atomic-desktops/silverblue/
126 stars 3 forks source link

New Package Request: clevis clevis-dracut clevis-udisks2 #409

Closed travier closed 1 month ago

travier commented 1 year ago
  1. Is the package installed by default in Fedora Wokrstation? If it is not, we will ask you to open an issue in the issue tracker for the Fedora Workstation Working Group.

It's not in Workstation yet apparently. Will have to file that there.

  1. What, if any, are the additional dependencies on the package? What is the output of this command on a system without overides or locally installed packages:
$ rpm-ostree install --dry-run <package>
TODO
  1. What is the size of the package and its dependencies?
$ rpm -qip clevis-luks-18-14.fc37.x86_64.rpm clevis-18-14.fc37.x86_64.rpm clevis-dracut-18-14.fc37.x86_64.rpm clevis-udisks2-18-14.fc37.x86_64.rpm clevis-systemd-18-14.fc37.x86_64.rpm
Name        : clevis-luks
Version     : 18
Release     : 14.fc37
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 72619
License     : GPLv3+
Signature   : RSA/SHA256, Sun Dec 18 13:49:19 2022, Key ID f55ad3fb5323552a
Source RPM  : clevis-18-14.fc37.src.rpm
Build Date  : Sun Dec 18 13:39:35 2022
Build Host  : buildhw-x86-15.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/latchset/clevis
Bug URL     : https://bugz.fedoraproject.org/clevis
Summary     : LUKS integration for clevis
Description :
LUKS integration for clevis. This package allows you to bind a LUKS
volume to a clevis unlocking policy. For automated unlocking, an unlocker
will also be required. See, for example, clevis-dracut and clevis-udisks2.

Name        : clevis
Version     : 18
Release     : 14.fc37
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 126589
License     : GPLv3+
Signature   : RSA/SHA256, Sun Dec 18 13:49:20 2022, Key ID f55ad3fb5323552a
Source RPM  : clevis-18-14.fc37.src.rpm
Build Date  : Sun Dec 18 13:39:35 2022
Build Host  : buildhw-x86-15.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/latchset/clevis
Bug URL     : https://bugz.fedoraproject.org/clevis
Summary     : Automated decryption framework
Description :
Clevis is a framework for automated decryption. It allows you to encrypt
data using sophisticated unlocking policies which enable decryption to
occur automatically.

The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKSv1
volumes during early boot.

Name        : clevis-dracut
Version     : 18
Release     : 14.fc37
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 6228
License     : GPLv3+
Signature   : RSA/SHA256, Sun Dec 18 13:49:20 2022, Key ID f55ad3fb5323552a
Source RPM  : clevis-18-14.fc37.src.rpm
Build Date  : Sun Dec 18 13:39:35 2022
Build Host  : buildhw-x86-15.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/latchset/clevis
Bug URL     : https://bugz.fedoraproject.org/clevis
Summary     : Dracut integration for clevis
Description :
Automatically unlocks LUKS block devices in early boot.

Name        : clevis-udisks2
Version     : 18
Release     : 14.fc37
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 28914
License     : GPLv3+
Signature   : RSA/SHA256, Sun Dec 18 13:49:20 2022, Key ID f55ad3fb5323552a
Source RPM  : clevis-18-14.fc37.src.rpm
Build Date  : Sun Dec 18 13:39:35 2022
Build Host  : buildhw-x86-15.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/latchset/clevis
Bug URL     : https://bugz.fedoraproject.org/clevis
Summary     : UDisks2/Storaged integration for clevis
Description :
Automatically unlocks LUKS block devices in desktop environments that
use UDisks2 or storaged (like GNOME).

Name        : clevis-systemd
Version     : 18
Release     : 14.fc37
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 2962
License     : GPLv3+
Signature   : RSA/SHA256, Sun Dec 18 13:49:20 2022, Key ID f55ad3fb5323552a
Source RPM  : clevis-18-14.fc37.src.rpm
Build Date  : Sun Dec 18 13:39:35 2022
Build Host  : buildhw-x86-15.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/latchset/clevis
Bug URL     : https://bugz.fedoraproject.org/clevis
Summary     : systemd integration for clevis
Description :
Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
  1. What problem are you trying to solve with this package? Or what functionality does the package provide?

Make is easier to enable TPM2 binding for disk encryption via clevis. See: https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/

  1. Can the software provided by the package be run from a container? Explain why or why not.

No, it's for the root disk

  1. Can the tool(s) provided by the package be helpful in debugging container runtime issues?

No

  1. Can the tool(s) provided by the package be helpful in debugging networking issues?

No

  1. Is it possible to layer the package locally via rpm-ostree install <package>? Explain why or why not.

Yes, but it would be better to have it by default to avoid modifying/rebuilding the initrd.

travier commented 1 year ago

See also https://github.com/fedora-silverblue/issue-tracker/issues/285

miabbott commented 1 year ago

While I can see the value in this use case, I'm unsure of how common it would be for most users. If we were to include this, I think I would also like to see some robust docs that explain how to do the TPM2 binding on Silverblue, perhaps some troubleshooting steps as well. (Pardon my ignorance if the docs for Silverblue would be identical for Workstation in this case)

travier commented 1 year ago

The instructions would be mostly the same, but will get much simpler once we have UKIs.

Right now the main issue is that if you want something meaningful in terms of security, you need to rebind after each update before the reboot. Thus this needs a script that does it during ostree-finalize step.

The end goal would be to have a box to tick in Anaconda that says "Automatically encrypt the disk (via TPM)" and have the user still enter a passphrase as backup or generate a long secret to store somewhere as backup.

CheariX commented 1 year ago

While I really like the steps forward to FDE with TPM2, i don't really get the advantage of using clevis in comparison to simply using systemd-cryptenroll that is already shipped in Silverblue. In particular, what i currently do is simply using the part Automatically decrypt additional partitions in your article without using clevis. (Maybe this should also be covered in this article?)

The only thing that I need to add was: Initramfs: --force-add tpm2-tss

travier commented 1 year ago

If systemd-cryptenroll also works for the root partition then this could also be an option indeed.

travier commented 1 year ago

We should investigate https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/ for Silverblue

travier commented 1 month ago

Thanks for the report. This issue is now tracked in https://gitlab.com/fedora/ostree/sig/-/issues/33 thus I'll close this one.