fedora iot-simplified-installer fdo re-encryption failed #3726
Comments
|
@runcom @7flying Could you please take a look of this bug? And I found a similar bug was filed before https://bugzilla.redhat.com/show_bug.cgi?id=2220851 |
|
fdo client log: [simple@localhost home]$ journalctl -u fdo-client-linuxapp.service fdo aio serviceinfo config file: |
|
@yih-redhat we need the logs from the manufacturing-client.service, if you have them
that one was a TPM issue, don't know yet if this will also be the case, but we'll need the manufacturing logs. Thanks |
|
This might be selinux issue, I think. @yih-redhat Could you please check the selinux fix in RHEL 9 in Fedora? Thanks. |
sure, could you please let me know the steps to check the selinux fix? |
|
I do found below denied avc log for /tmp/fdouser, but after I changed to use /var/lib/fdo/fdouser, I didn't see it anymore. type=AVC msg=audit(10/09/2023 08:35:03.580:9660) : avc: denied { open } for pid=232024 comm=fdo-serviceinfo path=/tmp/fdouser dev="tmpfs" ino=251 scontext=system_u:system_r:fdo_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 |
yih-redhat
changed the title
|
It's selinux issue. The selinux fdo fix in RHEL should be landed in Fedora. |
|
This is what I've got: So, it is selinux, but not our typical case! |
|
Linked the issue to our issue tracker: fedora-iot/iot-distro#8 |
|
Verifying this bug with build https://koji.fedoraproject.org/koji/buildinfo?buildID=2320649 |
|
Verified this bug with build https://koji.fedoraproject.org/koji/buildinfo?buildID=2320649, fixed, the fdo re-encryption works as expected. |
Describe the bug
provision edge vm with iot-simplified-installer, install a failing health check unit and rollback, then check fdo re-encryption by command "cryptsetup luksDump /dev/vda3". The expected result is there is no "cipher_null-ecb" in output, but actually "cipher_null-ecb" is in the output.
The same test passed on rhel and centos-stream, the difference is we check /dev/vda4 on these os, with command "cryptsetup luksDump /dev/vda4", so I guess maybe the root reason is that fedora image only has /dev/vda3, and rhel/centos has /dev/vda4.
Environment
/etc/os-releaseand/etc/redhat-release):rpm -qi osbuild-composer)To Reproduce
Steps to reproduce the behavior:
"rpm-ostree install --cache-only https://s3.amazonaws.com/org.osbuild.test-dependencies/greenboot-failing-unit-1.0-1.el8.noarch.rpm --reboot"
[simple@localhost ~]$ sudo cryptsetup luksDump /dev/vda3
[sudo] password for simple:
LUKS header information
Version: 2
Epoch: 6
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 05ad1795-54bc-4a57-bb01-9082f86a774d
Label: crypt_root
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: cipher_null-ecb
sector: 512 [bytes]
Keyslots:
1: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 1000
Salt: 6c 19 c0 8e 05 f0 05 21 42 70 98 5a 07 c9 19 8a
d0 7a d8 ef 16 14 95 be 94 9e d2 d8 46 bf 16 0f
AF stripes: 4000
AF hash: sha256
Area offset:163840 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
0: clevis
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 1000
Salt: 75 96 82 66 56 55 02 a1 0a 63 58 db b2 c9 60 fd
3b cd 8d fe ef cf 39 76 73 7d 68 8e b0 6f f7 aa
Digest: b9 fb 7b a8 6f 2b 91 20 e2 8f b7 b4 2a 6f 67 09
7e bf b3 2b 45 2b c1 1c be 23 d9 dc e0 54 f2 48
Expected behavior
there is no "cipher_null-ecb" in output
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: