Bug#1080390: shim-signed: Unable to unlock disk via TPM2 after update to 1.44+15.8 in bookworm

Tue, 03 Sep 2024 03:48:14 -0700 

Package: shim-signed
Version: 1.44~1+deb12u1+15.8-1~deb12u1
Severity: important

Dear Maintainer,

after updating the shim-signed package to 1.44~1+deb12u1+15.8~deb12u1,
unlocking the LUKS drive automatically via the tpm as enrolled through
systemd-cryptenroll fails because the value of PCR 7 changes.

This is problematic in our setup, because only the IT administrator
has the LUKS passphrase which can be used as a fallback unlock method.
Therefore, manual intervention for unlocking and re-enrolling the TPM
is needed.

At least a NEWS entry should be displayed before the update, and
possibly a solution to automatically re-enroll after a successful unlock
via passphrase added (via systemd unit file? maybe a systemd wishlist
item? `keyctl update` to reseal?).

In any case, a blind update causes a serious regression for us. We
understand this is intended behavior, but we should at least have
a way to know before applying the update.

Thanks!
Matteo Settenvini


Here is the luks setup:

-----------------------------------------------------
LUKS header information
Version:        2
Epoch:          6
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           bd26d0e0-251d-44e8-8c90-360fe990d412
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  14
        Memory:     1048576
        Threads:    4
        Salt:       07 d3 6a cf 4c c3 d7 c9 53 a9 69 e2 ef b9 79 2c
                    21 88 74 3a df 64 1a 91 63 18 b8 36 d8 7c e8 e5
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
  1: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      pbkdf2
        Hash:       sha512
        Iterations: 1000
        Salt:       6d 56 24 f6 82 e1 7a 50 37 12 50 db f5 0c 55 c4
                    38 68 2c 27 61 bf 46 ce f5 e6 d1 4a 99 12 b8 b8
        AF stripes: 4000
        AF hash:    sha512
        Area offset:290816 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
  2: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  14
        Memory:     1048576
        Threads:    4
        Salt:       10 30 2f 6d 11 a7 24 60 a5 f2 8b 4a 13 f5 cc 27
                    08 d6 e2 ba a1 57 0b d9 37 a4 ef 8f 6f bc 95 f9
        AF stripes: 4000
        AF hash:    sha256
        Area offset:548864 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
  0: systemd-tpm2
        tpm2-hash-pcrs:   7
        tpm2-pcr-bank:    sha256
        tpm2-pubkey:
                    (null)
        tpm2-pubkey-pcrs: n/a
        tpm2-primary-alg: ecc
        tpm2-blob:        00 9e 00 20 28 74 43 7e c3 54 e2 d6 06 94 56 db
                    8f e0 ff 30 3f 9a df 8b 54 f0 fe 1c 92 5f 87 28
                    06 c3 9d e8 00 10 36 c0 56 41 85 e8 65 58 f3 4a
                    c4 83 56 29 78 2b 95 f5 78 8a 6b dc 10 42 e8 0e
                    b9 f6 d6 a4 6f 42 0e bc 55 e2 67 69 51 38 04 3b
                    93 29 21 1f 42 af f3 98 0d b3 bd 1b dc 54 d9 99
                    a3 cf 0e b9 0e 9d da 3f 48 47 c3 ea 38 c8 80 ff
                    cb 1d 2a 59 7d 8a 53 ad bf 99 f9 92 0a a5 e5 61
                    e6 a1 00 c7 b5 a2 4c d9 2c de 21 5a b5 bf 82 c2
                    4e 05 4e 5b c9 11 21 57 5a ad 9a 3d 8e f7 3b 33
                    00 4e 00 08 00 0b 00 00 00 12 00 20 d3 ef d1 d5
                    46 82 85 64 9e f0 88 2e 22 59 9b 59 c0 24 83 07
                    0e 95 fc 38 0e 73 cb da 63 89 56 6c 00 10 00 20
                    6f 82 6a a3 04 80 95 03 7b 63 c6 af 22 53 c5 f4
                    d6 d6 1e bf 1a 0d 29 19 e4 0b 90 8b e1 60 73 54
        tpm2-policy-hash:
                    d3 ef d1 d5 46 82 85 64 9e f0 88 2e 22 59 9b 59
                    c0 24 83 07 0e 95 fc 38 0e 73 cb da 63 89 56 6c
        tpm2-pin:         false
        Keyslot:    1
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 356173
        Salt:       76 84 f0 bb f4 64 6c f4 4e 47 28 4f fb c5 44 8b
                    19 33 db e9 a6 e7 e9 02 d0 be 94 e3 47 24 42 25
        Digest:     72 cb 20 43 56 1d f5 fe 79 ff 99 81 9a 9f 8d a3
                    c1 1e 8d 47 06 c7 66 38 cb e9 77 2c 53 2e 36 26
-----------------------------------------------------


And these are the values before and after the update:

BEFORE:

-----------------------------------------------------
root@de013-cx4274:~# cat 20240902-last-PCR-Dump-S.txt
  sha1:
  sha256:
    0 : 0x560AFD9ABC6C9DE6AA183A833AE71258F17A21D9EBC45CC2EF4CBE32DC94A564
    1 : 0xF358E4875E329F97733629B113F5AAD170BC123C27EE687BBDA8F0266B1A28E5
    2 : 0x46EE38507CD391F4A3C2B4FBF4937C1777BF2BD60C4C29FD4242C99C00A9130A
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0xCE0BD5054631786D3DD503B9BB6F12D28E94EB3C20AE0B296EF3EAA0177BA2D2
    5 : 0x600EC56C092AE91E97F695401EDCCC6CD1A25B44B32CED97FB65A26CDBA451FD
    6 : 0x3636543C936F42EAF3AD6CB84454E7938270FF51F40F493B462A32A87CC3F81A
    7 : 0xB1B70331A88FA4D1B37FDB0C6969CCB4E51EE7392907664D1831A60117D64AE8
    8 : 0xF83E55D2158D140D8FC42E6754CFBEDF9D11944F1193127DFF29D96879E5009E
    9 : 0x75FDD30EC254AEE5879804723DBC6FCE579C50DBFB0893343EE12A3B058D572E
    10: 0x6280FA9545FA8F49B9DCD4C10462F8F63983BDAF4505F81288FBD600548E51AA
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x654BF590AB03D79F71261BCA2F4273CBFA5FD2E414BA312F4A65CD13981F6A1D
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000
  sha384:
  sha3_256:
  sha3_384:
-----------------------------------------------------

AFTER:

-----------------------------------------------------
root@de013-cx4274:~# tpm2_pcrread
  sha1:
  sha256:
    0 : 0x560AFD9ABC6C9DE6AA183A833AE71258F17A21D9EBC45CC2EF4CBE32DC94A564
    1 : 0x26549FF408E68E54E5FEB6F9814D8848EB8ED3C3D049729533C9B32E0335370A
    2 : 0x46EE38507CD391F4A3C2B4FBF4937C1777BF2BD60C4C29FD4242C99C00A9130A
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0x9DEFEC70F9EB3B5E2A7FDF418C54B698B3B39AFCF9B5153AC9A471FD3112AB45
    5 : 0x600EC56C092AE91E97F695401EDCCC6CD1A25B44B32CED97FB65A26CDBA451FD
    6 : 0x3636543C936F42EAF3AD6CB84454E7938270FF51F40F493B462A32A87CC3F81A
    7 : 0x744B05D4526FC8C4C1A20267B171CB5EED143D1E4CD807693473C482EA3826CB
    8 : 0xF83E55D2158D140D8FC42E6754CFBEDF9D11944F1193127DFF29D96879E5009E
    9 : 0x75FDD30EC254AEE5879804723DBC6FCE579C50DBFB0893343EE12A3B058D572E
    10: 0x3D399603A532FDD2E3DDF673848DE34E764A7291360D68A1B1162AC25D82994B
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x654BF590AB03D79F71261BCA2F4273CBFA5FD2E414BA312F4A65CD13981F6A1D
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000
  sha384:
  sha3_256:
  sha3_384:
-----------------------------------------------------


-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-25-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_AUX
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed depends on:
ii  grub-efi-amd64-bin         2.06-13+deb12u1
ii  grub2-common               2.06-13+deb12u1
ii  shim-helpers-amd64-signed  1+15.8+1~deb12u1
ii  shim-signed-common         1.44~1+deb12u1+15.8-1~deb12u1

shim-signed recommends no packages.

shim-signed suggests no packages.

-- no debconf information

Reply via email to