Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check ubuntu 24.10 uki #2937

Open
Itxaka opened this issue Oct 14, 2024 · 3 comments · May be fixed by #2939
Open

Check ubuntu 24.10 uki #2937

Itxaka opened this issue Oct 14, 2024 · 3 comments · May be fixed by #2939

Comments

@Itxaka
Copy link
Member

Itxaka commented Oct 14, 2024
edited
Loading

24.10 uki doesn't work. Investigate why, seems like it cant encrypot.

HINT: Check if its shipping a default pcrlock json files, which is not supported to encrypt. (cant user measurements AND pcrlock files at the same time)
@Itxaka
Copy link
Member Author

Itxaka commented Oct 14, 2024

Check Dockerfile.kairos


# Disable the make-policy service that its on by default on some systemd versions
# it creates a pcrlock.json policy that conflicts with our mesurements when trying to enroll it
RUN if [ "$(which-init.sh)" = "systemd" ]; then \
      systemctl disable systemd-pcrlock-make-policy || true; \
      systemctl mask systemd-pcrlock-make-policy || true; \
      journalctl --vacuum-size=1K || true; \
    fi

@Itxaka
Copy link
Member Author

Itxaka commented Oct 14, 2024

Image

@Itxaka Itxaka linked a pull request Oct 14, 2024 that will close this issue
Open
@Itxaka
Copy link
Member Author

Itxaka commented Oct 14, 2024

Even adding the missing dep still fails:

Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
Loaded 'libcryptsetup.so.12' via dlopen()
Allocating context for crypt device /dev/vda2.
Trying to open and read device /dev/vda2 with direct-io.
Initialising device-mapper backend library.
Trying to load LUKS2 crypt type from device /dev/vda2.
Crypto backend (OpenSSL 3.3.1 4 Jun 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.2.
Detected kernel Linux 6.11.0-8-generic x86_64.
Loading LUKS2 header (repair disabled).
Acquiring read lock for device /dev/vda2.
Opening lock resource file /run/cryptsetup/L_253:2
Verifying lock handle for /dev/vda2.
Device /dev/vda2 READ lock taken.
Trying to read primary LUKS2 header at offset 0x0.
Opening locked device /dev/vda2
Verifying locked device handle (bdev)
LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Checksum: 1600643437bedd2cf5a4772844cd2b2019150f48809651f25abe9cfc07035c2e (on-disk)
Checksum: 1600643437bedd2cf5a4772844cd2b2019150f48809651f25abe9cfc07035c2e (in-memory)
Trying to read secondary LUKS2 header at offset 0x4000.
Reusing open ro fd on device /dev/vda2
LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Checksum: 51b03200666a9cd3ddb1e033930b9233374e31e51f49924d4593cc8338c51e4b (on-disk)
Checksum: 51b03200666a9cd3ddb1e033930b9233374e31e51f49924d4593cc8338c51e4b (in-memory)
Device size 67108864, offset 16777216.
Device /dev/vda2 READ lock released.
PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
Requesting JSON for token 0.
Requesting JSON for token 1.
Requesting JSON for token 2.
Requesting JSON for token 3.
Requesting JSON for token 4.
Requesting JSON for token 5.
Requesting JSON for token 6.
Requesting JSON for token 7.
Requesting JSON for token 8.
Requesting JSON for token 9.
Requesting JSON for token 10.
Requesting JSON for token 11.
Requesting JSON for token 12.
Requesting JSON for token 13.
Requesting JSON for token 14.
Requesting JSON for token 15.
Requesting JSON for token 16.
Requesting JSON for token 17.
Requesting JSON for token 18.
Requesting JSON for token 19.
Requesting JSON for token 20.
Requesting JSON for token 21.
Requesting JSON for token 22.
Requesting JSON for token 23.
Requesting JSON for token 24.
Requesting JSON for token 25.
Requesting JSON for token 26.
Requesting JSON for token 27.
Requesting JSON for token 28.
Requesting JSON for token 29.
Requesting JSON for token 30.
Requesting JSON for token 31.
Keyslot 0 priority 1 != 2 (required), skipped.
Trying to open LUKS2 keyslot 0.
Running keyslot key derivation.
Reading keyslot area [0x8000].
Acquiring read lock for device /dev/vda2.
Opening lock resource file /run/cryptsetup/L_253:2
Verifying lock handle for /dev/vda2.
Device /dev/vda2 READ lock taken.
Reusing open ro fd on device /dev/vda2
Device /dev/vda2 READ lock released.
Verifying key from keyslot 0, digest 0.
Loaded 'libtss2-esys.so.0' via dlopen()
Loaded 'libtss2-rc.so.0' via dlopen()
Loaded 'libtss2-mu.so.0' via dlopen()
Assertion 'c' failed at src/shared/tpm2-util.c:2806, function tpm2_get_best_pcr_bank(). Aborting.

This was already reported upstream a long time ago (found it in debian) as systemd/systemd#33855

It has been fixed, so it may be available in systemd 256.6 or 256.7
current ubuntu version is 256.5 :(

systemd 256 (256.5-2ubuntu3)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT +LIBARCHIVE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
🧙Issue tracking board
Status: Todo 🖊
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐧 Bring back ubuntu 24.10 uki kairos-io/kairos
1 participant
@Itxaka