search

raspberrypi / rpi-sb-provisioner

A minimal-input automatic secure boot provisioning system for Raspberry Pi devices.
Apache License 2.0
12 stars 6 forks source link

Fresh setup with standard image fails #47

Open LimaLima opened 1 day ago

LimaLima commented 1 day ago

v1.1.0 Configuration:

CUSTOMER_KEY_FILE_PEM=/deploy/private.pem
CUSTOMER_KEY_PKCS11_NAME=
GOLD_MASTER_OS_FILE=/deploy/2024-07-04-raspios-bookworm-arm64-lite.img
RPI_DEVICE_STORAGE_TYPE=emmc
RPI_DEVICE_FAMILY=4
RPI_DEVICE_BOOTLOADER_CONFIG_FILE=/var/lib/rpi-sb-provisioner/bootloader.config
RPI_DEVICE_LOCK_JTAG=
RPI_DEVICE_EEPROM_WP_SET=
RPI_DEVICE_SERIAL_STORE=/usr/local/etc/rpi-sb-provisioner/seen
DEMO_MODE_ONLY=
RPI_SB_WORKDIR=/srv/provision-work

Running on a fresh install of Pi4, based on the same 2024-07-04-raspios-bookworm-arm64-lite.img Targeting CM4 (8GiB MMC, 1 GiB RAM, no wifi) on IO Board, as per documentation

After "successful" provisioning, boot fails before switching to encrypted partition: image boot.img/initramfs8 does not contain uncompressed kernel modules that are required here, but it has their .xz versions

LimaLima commented 7 hours ago

p.s. rpi-otp-private-key returns zeros on the target CM4. I was expecting it to have something random after provisioning.

tdewey-rpi commented 6 hours ago

Thanks for the report, @LimaLima

I'm hoping to reproduce this on CM4 either later today or tomorrow.

Your observations are essentially correct - I'd have expected to see a device-unique key returned, and that you just have zeros implies that the keywriter failed on your device.

LimaLima commented 5 hours ago

Ok, so we have two problems then:

  1. key provisioning not generating a disk encryption key
  2. compressed kernel modules being copied to a kernel that expects uncompressed ones

Any suggested workarounds, or some additional information I could collect?

LimaLima commented 1 hour ago

Some further testing:

  1. Cleared RPI_SB_WORKDIR folder (workaround for the issue #42)
  2. Took a cm4 module with a random numbers already burned into OTP using rpi-otp-private-key (workaround for key provisioning issue)
  3. Modified the image using unxz -k required.ko.xz to make sure the modules are available (workaround for cryptoroot incompatibility with compressed modules)

Provisioning went through "successfully" However, LUKS is locked: image

Confirmed manually: image Even tried with a key made out of 0'os: image

Need to find additional workarounds :(