ERROR: installing 'clevis-decrypt-http' on Ubuntu 19.04

[daheise]

I get the following error when running dracut -f after binding luks with tpm2 on Ubuntu 19.04

dracut-install: ERROR: installing 'clevis-decrypt-http'
dracut: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.Sj4n83/initramfs -a /etc/services clevis-decrypt-http clevis-decrypt-tang clevis-decrypt-sss /usr/lib/x86_64-linux-gnu/clevis-luks-askpass clevis-decrypt luksmeta clevis mktemp curl jose socat

The command clevis-decrypt-http does not exist. The only unlock function I need is tpm2. Is there a file I can edit to achieve this?

[daheise]

Changing /usr/lib/dracut/modules.d/60clevis/module-setup.sh from

    inst_multiple /etc/services \
        clevis-decrypt-http \
        clevis-decrypt-tang \
        clevis-decrypt-sss \
        /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
        clevis-decrypt \
        luksmeta \
        clevis \
        mktemp \
        curl \
        jose \
        socat

to

    inst_multiple /etc/services \
        clevis-decrypt-tang \
        clevis-decrypt-sss \
        /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
        clevis-decrypt \
        luksmeta \
        clevis \
        mktemp \
        curl \
        jose \
        socat

Got the initramfs to build, but I still haven't achieved a TPM unlock.

[daheise]

Ubuntu implements encryption on LVM volumes. I get prompted for a passphrase for sda3_crypt. When I try to bind clevis to that device, I get the following

sudo clevis luks bind -d /dev/mapper/sda3_crypt tpm2 '{}'
/dev/mapper/sda3_crypt is not a LUKS device!

I have tried binding to /dev/sda3 to no avail. The bind succeeds, but I'm not able to boot without a password.

[daheise]

Diff between Fedora 30 module-setup.sh and and the Ubuntu 19.04 module-setup.sh

--- module-setup.sh 2019-08-14 11:00:38.381192804 -0400
+++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh  2018-10-30 17:55:28.000000000 -0400
@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/bash
 # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 #
 # Copyright (c) 2016 Red Hat, Inc.
@@ -19,12 +19,12 @@
 #

 depends() {
-    echo crypt systemd
+    echo crypt systemd network
     return 0
 }

 cmdline() {
-    echo ""
+    echo "rd.neednet=1"
 }

 install() {
@@ -36,21 +36,20 @@
     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"

     inst_multiple /etc/services \
+        clevis-decrypt-http \
         clevis-decrypt-tang \
         clevis-decrypt-sss \
-        /usr/libexec/clevis-luks-askpass \
+        /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
         clevis-decrypt \
-        cryptsetup \
         luksmeta \
         clevis \
         mktemp \
         curl \
         jose \
-        nc
+        socat

     for cmd in clevis-decrypt-tpm2 \
    tpm2_createprimary \
-   tpm2_pcrlist \
    tpm2_unseal \
    tpm2_load; do

@@ -62,10 +61,8 @@
     if (($ret == 0)); then
    inst_multiple clevis-decrypt-tpm2 \
        tpm2_createprimary \
-       tpm2_pcrlist \
        tpm2_unseal \
        tpm2_load
-   inst_libdir_file "libtss2-tcti-device.so*"
     fi

     dracut_need_initqueue

[daheise]

Whether using the Ubuntu package, or building from source, during dracut-initqueue on boot I get an error in clevis-luks-askpass saying that cryptsetup cannot be found on lines 52 and 67. This is despite cryptsetup clearly being placed in usr/sbin/cryptsetup during dracut -f.

$ sudo lsinitramfs /boot/initramfs-5.0.0-25-generic.img | grep cryptsetup
usr/lib/systemd/system-generators/systemd-cryptsetup-generator
usr/lib/systemd/system/cryptsetup.target
usr/lib/systemd/system/sysinit.target.wants/cryptsetup.target
usr/lib/systemd/systemd-cryptsetup
usr/lib/x86_64-linux-gnu/libcryptsetup.so
usr/lib/x86_64-linux-gnu/libcryptsetup.so.12
usr/lib/x86_64-linux-gnu/libcryptsetup.so.12.4.0
usr/sbin/cryptsetup

[daheise]

This change isn't reflected in a tagged release, which is at lease one reason Debian is having issues.

[bviktor]

How do you build on 19.04? I'm blocked by #126 there.

[tomboland-vocovo]

I have this problem too. Is there any advice for working around it?

[daheise]

I have gotten the unlock tools to be recognized in the the initrd for Debian finally. I have not gotten the unlock to work yet. A summary of getting to this point is below.

1. Modify /usr/lib/dracut/modules.d/60clevis/module-setup.sh

   # remove `clevis-decrypt-http` from 
   #`/usr/lib/dracut/modules.d/60clevis/module-setup.sh` and
   # add the following: /usr/sbin/cryptsetup \
   #        clevis-decrypt-tpm2 \
   #        tpm2_createprimary \
   #        tpm2_unseal \
   #        tpm2_load \
   #        tpm2_pcrlist
   # The guard for clevis-decrypt-tpm2 prevents these items from being added.
   # I don't know why.

2. Update the initrd file. (RHEL-based distros use initramfs)

   sudo dracut -fv /boot/initrd.img-$(uname -r)

Now I get the following error on boot emitted by clevis' clevis-decrypt-tpm2: "Creating TPM2 primary key failed!". I think this is caused by another error emitted from tpm2_createprimary expressed as follows: ERROR on line: "168" in file: "tools/tpm2_tool.c": Unable to run tpm2_createprimary. I have found no leads on these latter two errors. I expect some kind of TPM ownership issue.

[rLoka]

I am also failing to unlock the full encrypted disk bound with clevis + TPM2.0. I always have to supply password manually after Dracut fails. Tried it on 19.10.

Also, is there a way to get clevis-tpm2 to run on 18.04?

Any help is appreciated.

[bviktor]

I deployed my custom 18.04 build in Noobuntu.

(relevant code)

[rLoka]

@bviktor Sorry, not familiar with Noobuntu, could you elaborate how I would integrate in standard distribution of Ubuntu 18.04?

[bviktor]

Read the linked ansible code.

[tomboland-vocovo]

I'm building a fresh preseed/simple-cdd install image, and actually, I now have this working with the standard debian packages, and the fixed dracut module-setup.sh. My problem was that I didn't realise the dracut image wasn't being used by grub! Now I explicitly specify the initrd.img, it's all working. I bind using the following, and to the sda5 device, not the mapper device. Maybe that's the difference here?

/usr/bin/clevis luks bind -d /dev/sda5 tpm2 '{"pcr_ids": "1,2,5,7"}'

If you do cryptsetup luksDump /dev/sdX, do you see the clevis key?

This works for me in the freshly installed and booted OS, and when I reboot, I get the password prompt, then 2-3 seconds later, the automatic unlock. If I try to run this as part of my postinstall, before booting the OS properly, I get this error:

in-target: A TPM2 device with the in-kernel resource manager is needed!

I'll try and troubleshoot this, but may raise another issue for help.

[bviktor]

The point is, you don't need dracut, because Clevis v12 supports initramfs-tools.

[rLoka]

@bviktor As I understood, you have built your own clevis package with a patch, but you also have custom tpm2-tss and tpm2-tools. Do I need that for clevis 12?

[bviktor]

Yes, because the Ubuntu versions are too old. All the deb build scripts are here:

https://github.com/noobient/noobuntu/tree/master/share

And all the packages are here:

https://nexus.noobient.com/#browse/browse:noobuntu

The only patch I have is a revert for a oneliner, and the issue has been reported already :)

[rLoka]

@bviktor Thanks for the resources you have provided!

Unfortunately, I tried your packages with initramfs-tools unlocker, after even with dracut, but Ubuntu just won't decrypt on it's own. Just hangs on passphrase prompt :/

However, it seems clevis works with Fedora just fine (as descibed here https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/). I tried it and it worked as expected (I mean on dracut).

Is there a clevis alternative for ubuntu?

[bviktor]

Well we're using this on ~30 workstations already, so it definitely works. This is the guide we're using:

https://github.com/noobient/noobuntu/wiki/Full-Disk-Encryption

I'd try on a clean install first, dracut may have messed things up a little.

[rLoka]

@bviktor Thanks for providing the guide. I did a fresh install of 18.04, installed the noobuntu repo packages, followed the guide, but the automatic unlock does not happen. I started to think there is a HW problem, but then, why would it work with Fedora, and not with Ubuntu.

Here is a sudo cryptsetup luksDump /dev/nvme0n1p3

LUKS header information for /dev/nvme0n1p3

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      1f 9b 9b 9a 17 53 26 39 e8 c8 8a 63 ac f4 6a fa fb 7d 8c 9e 
MK salt:        e7 3c 24 a7 7d c5 2c 07 fa 5f d2 a8 48 e3 02 8e 
                ba 36 93 b4 42 31 0b a3 8f ad 63 29 0a e5 c2 da 
MK iterations:  117870
UUID:           76fed620-05cf-4b16-8b8a-4876435a2fef

Key Slot 0: ENABLED
    Iterations:             1885928
    Salt:                   3d e2 ac dd e8 95 9e 01 6e c6 81 7d 41 5b f8 c6 
                            be c4 fa 68 f3 27 2c ea c9 ed ec 92 e7 8b 90 48 
    Key material offset:    8
    AF stripes:             4000
Key Slot 1: ENABLED
    Iterations:             1801676
    Salt:                   b0 a8 d6 74 5d 66 8a 1e 07 a1 1c a7 7b 6d c4 de 
                            fd 26 ca 8c 18 87 1f c6 c4 eb 9c 9f 57 85 9e ef 
    Key material offset:    512
    AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Can these two slots coexist?

Additionally, here is a tmp device info (I am using the Intel NUC):

$ dmesg | grep -i tpm
[    0.000000] efi:  TPMFinalLog=0x8a9cb000  ACPI 2.0=0x8a95f000  ACPI=0x8a95f000  SMBIOS=0x8ade9000  SMBIOS 3.0=0x8ade8000  ESRT=0x8ade5418  MEMATTR=0x86cfa018  TPMEventLog=0x83989018 
[    0.014784] ACPI: TPM2 0x000000008A99A328 000034 (v04 INTEL  NUC7i5DN 00000034 AMI  00000000)
[    2.036732] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)

[rLoka]

UPDATE: Managed to get dracut unlocker working on Ubuntu 19.10 with this patch: http://fit-pc.com/wiki/index.php?title=Linux:_Full_Disk_Encryption

(clevis 11-2)

[bviktor]

I'm not sure what you're doing, I just did a completely default desktop installation from the stock Ubuntu 18.04.4 media, then

sudo apt-key adv --fetch-keys https://apt.noobient.com/files/noobuntu.asc
echo 'deb [arch=amd64] https://apt.noobient.com/noobuntu/ bionic main' | sudo tee /etc/apt/sources.list.d/noobuntu.list
sudo apt update
sudo apt install --no-install-recommends clevis

Then those few commands explained in the FDE wiki, and it unlocks perfectly.

Are you sure you're using the correct packages? To me:

$ apt list --installed | grep 'clevis\|tpm2'
clevis/bionic,now 12-6 amd64 [installed]
tpm2-tools/bionic,now 4.1.1-1 amd64 [installed,automatic]
tpm2-tss/bionic,now 2.3.2-1 amd64 [installed,automatic]

[rLoka]

@bviktor Thank you for posting this!

I did exactly that from fresh install of 18.04.4 desktop, but it does not work with initramfs. I have noticed NUC tries to boot, fails, restarts and then I get the password prompt.

Is there a specific BIOS property I have to set?

Currently UEFI and Secure Boot are ON, while Legacy Boot is OFF.

[bviktor]

TPM enabled, UEFI enabled, CSM (legacy) disabled, Secure Boot disabled, but SB shouldn't affect this.

I'll try to test this on a NUC (we have a few), and get back to you. What's your model?

[rLoka]

@bviktor I might try with SB disabled once more. NUC Product Code: BLKNUC7i7DNHE

Greatly appreciated, means a lot! :)

[bviktor]

Just tested on a NUC7i5BN, works just fine.

Are you on the latest BIOS?

Are you sure you do both the clevis luks bind and update-initramfs commands? Do note that -u did not work for me, only -c.

[rLoka]

@bviktor Thanks mate!

Still no luck, but here is what I tried so far.

Flashed BIOS with the newest image. Tried it on a separate NUC which is slightly different model, but I got same results. Tried it with both -u and -c flag.

For convenience, here is a full output of what I did in terminal: https://gist.github.com/rLoka/93148f9adfdcbc951569e7b8d90c090d

I might try it once more on a completely different environment from NUC.

[rLoka]

Finally got this working using clevis 13 built from source on ubuntu 18.04.