配置完了开机还是让输密码,其实是正常的,系统后台在自动解锁呢。。
为此研究了一晚上,属予作文以记之。
0.Introduction
环境如下
- RedHat 9
- /dev/nvme3n1p3 宿主机root分区,luks加密的,解密后mount to '/'
- /dev/nvme1n1 libvirt数据存储区,整体luks加密,解密后是一个Thin Provision Pool
- /dev/sda1 为raid卡的虚拟分区
- 以上所有分区slot0为密码,slot1为tpm-key
基础知识: Linux开机过程
主板上电 -> GRUB -> 加载initramfs -> 加载真实系统
- GRUB: 配置了cmdline(kernel parameter) 传递给下一步的参数 例如指定哪块磁盘是root 以什么模式启动
- initramfs: 使用dracut创建的一个mini系统 可以理解为从grub命令行启动了一个大软件 接管整个硬件系统,这里面打包了各种基础驱动,例如网络驱动(当真正的系统不在本地磁盘上),解密算法(真正的系统磁盘分区是加密的),Raid卡驱动(真正的系统在raid卡上 不在本地磁盘上),显卡驱动(需要显示启动界面)等等。。
- 真实系统:我们最后用的系统
基础知识: TPM 2.0
TPM是个硬件模块,包含了特定的算法和存储空间,TPM也可以升级,但是有升级次数限制。
- 有Owner/Endorsement/Platform/Lockout四个密码,即使密码都错了,也可以在BIOS/UEFI设置里面reset这个硬件,reset里面所有内容包括存的key也都没了。一般我们设置Owner,Platform,Lockout三个密码。
- 配置上述密码使用 tpm2_changeauth 例如:
tpm2_changeauth -c owner -p OLDPASSWD NEWPASSWD - 设置磁盘加密时:linux会在tpm里面存一个“key用来解密磁盘”,并约定一组pcr值相同时,tpm才能返回这个key,
- 开机时:Linux给tpm发一组pcr值,tpm发现一样,就释放 “用于解密磁盘的key”
1.Config
## Install clevis suite
dnf install clevis clevis-luks clevis-dracut clevis-systemd
## Add clevis module to dracut (to generate initramfs)
## In this file, there's should be:
## add_dracutmodules+=" tpm2-tss clevis crypt "
cat /etc/dracut.conf.d/tpm2.conf
## Regenerate initramfs
dracut -f
## To show which disk need to decrypt, we assume /dev/nvme3n1p3 in next
lsblk
## (If has previous unlock key)
## Remove previous one ('-s N' the N is shown by `clevis luks list`)
clevis luks unbind -d /dev/nvme3n1p3 -s N
## Note Here if you want to assign the pcr related to initramfs, please reboot firstly
clevis luks bind -d /dev/nvme3n1p3 tpm2 '{"pcr_ids":"0,1,7,11"}'
## Show tpm2 slot (The password slot0 not shown here)
## Output:
## 1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"0,1,7,11"}'
clevis luks list -d /dev/nvme3n1p3
## Test decrypt by tpm2
## Successful if nothing shown.
clevis luks unlock -d /dev/nvme3n1p3 -t 1
## Verify the passphrase slot still works
## Warning: We must keep at least a password way to unlock disk!
## If it failed, please re-config until successful, otherwise data may lost.
## 注意 必须确保使用密码仍可解锁该分区
## 若此步骤测试失败 则立即重新配置密码解锁 或取消磁盘加密,否则数据可能不保
cryptsetup luksOpen --test-passphrase /dev/nvme3n1p3
## reboot to test
reboot
Note: Even if TPM unlocking is configured successfully, the system will still prompt you to enter a password at boot. However, TPM is already unlocking in the background — you just need to wait a bit longer.
注意: 即使成功配置了TPM解锁,开机也会提示输入密码,但是后台已经在使用tpm解锁了,要多等一会儿。
在我的机器上key=ecc时 大约每个分区6秒,key=rsa时 大约每个分区11秒。
2.Troubleshoot
检查是否因为系统环境变化 PCR变化导致无法解锁tpm2_pcrread sha256:0,1,7,11 可以显示本次的PCR值
检查该分区所有的解锁方式cryptsetup luksDump /dev/nvme3n1p3
看Keyslots和 Digests
这个Digests下面的pbkdf2对应输密码解锁,注意一定保留密码解锁,否则后面系统升级PCR就会变 TPM就要重新配置
检查initramfs是否已经包含了tpm和clevis模块
# lsinitrd | grep '^clevis'
clevis
clevis-pin-null
clevis-pin-sss
clevis-pin-tang
clevis-pin-tpm2检查系统开机log中解锁的相关信息journalctl -b | grep -Ei 'clevis|tpm|crypt'
Reference
- LUKS Auto Unlock Partition via Clevis (TPM2) Needs Rebind After Kernel Update https://discussion.fedoraproject.org/t/luks-auto-unlock-partition-via-clevis-tpm2-needs-rebind-after-kernel-update/161704?replies_to_post_number=4
- LUKS devices bound to TPM2 are not decrypted anymore after boot https://access.redhat.com/solutions/6175492
- Configuring manual enrollment of LUKS-encrypted volumes by using a TPM 2.0 policy https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#configuring-manual-enrollment-of-volumes-using-tpm2_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption