Skip to content

Conversation

@tlaurion
Copy link
Collaborator

Addresses partly #1588 until proper CapsLock detection code is created.

TODO:

  • Cleanup commit logs. This is raw at creation of PR: just works in Q4.1(lvm) and Q4.2(brtfs).
  • Would love this to work out of the box to pass additional LUKS discovered LUKS devices, but as of now, Qubes asks for Disk Recovery Key if the whole setup chain for that additional device is not completed on OS side.
  • So in current state, all LUKS discovered devices are part of "suggested" disks for user to select. This means that if those devices are setuped with different DRK, it will fail as well. TLDR: all DUK to be part of TPM DUK need to have the same DRK to be enrolled as TPM DUK and OS needs to have proper setup (/etc/crypptab+ dracut regen + grub regen).

Putting as draft upon creation.
@UndeadDevel : comments can be added either in issue or here if you have code comments(here) or other requirements(in issue).

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Move function on top of file, first pass to replace strings with array and deal with arrays only.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… for both LUKSv1 and LUKSv2

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…+passphrase, justifying choosing N in most cases.

Display key_devices for confirmation as well.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…uggested_devices.

Otherwise presented order is /dev/sdb1 /dev/sda2

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…(pipefail prevented retries) + cleanup.

Apply workaround stating that capslock might be on, TPM might be in locked state: poweroff/poweron to retry cleanly.
Output pcrs only in debug mode, otherwise disclosing unauthenticated final PCRs values to possible attacker. Should be available from authenticated Recovery console and from Debug only.
Unify LUKS/TPM Disk Unlock Key output to end user for clarity

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion tlaurion marked this pull request as draft January 18, 2024 19:50
@tlaurion tlaurion force-pushed the fix_tpm_duk_retry_and_workflow branch 2 times, most recently from da42675 to 2b255dd Compare January 18, 2024 20:05
…xt output to usb thumb drive

Really handy btw. Would be nice to add that into sysrq magic to output to usb thumb drive and have ctrl-alt-delete output dmesg to external storage when in debug mode. Would work also for headless debug when porting

TODO: squash allrelated commits together.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion tlaurion force-pushed the fix_tpm_duk_retry_and_workflow branch from 2b255dd to e33af25 Compare January 19, 2024 16:30
@tlaurion
Copy link
Collaborator Author

This contains WiP where #1595 will be more consensual for now. Leaving this one as draft and will rework when I have a fix for Capslock

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant