Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: TPM no longer unlocks device

  1. #11
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: TPM no longer unlocks device

    Quote Originally Posted by MAFoElffen View Post
    EDIT: To write this post, I had to use "key-slot" instead of that, without the dash... The Forum filter if done without the dash, filters into ke***** .
    A bit OT, but for the record: I have no idea why a past forum admin, at about the time dinosaurs roamed the planet, decided that the string "yslot" was too coarse for delicate forum members' ears, but since Google doesn't come up with anything remotely relevant, and I'm not aware of any obscene context for it, I've removed yslot from the forum censor list.
    Ubuntu 22.04 Desktop Guide - Ubuntu 24.04 Desktop Guide - Forum Guide to BBCode - Using BBCode code tags

    Member: Not Canonical Team

    If you need help with your forum account, such as SSO login issues, username changes, etc, the correct place to contact an admin is here. Please do not PM me about these matters unless you have been asked to - unsolicited PMs concerning forum accounts will be ignored.

  2. #12
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: TPM no longer unlocks device

    ^^^^
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  3. #13
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    ^^^ Hooray!!! Thank you coffeecat! I had no idea why that was hitting the censor/filter. Now I have at least an idea why. LOL!

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  4. #14
    Join Date
    Jun 2023
    Beans
    6

    Re: TPM no longer unlocks device

    In case anybody finds this in the future:
    Thank you to https://lemmy.world/u/skullgiver@pop...hilciferous.nl for providing a way to recover the real key out of the encoded recovery key:

    You can add up to 32 key slots for a LUKS2 volume, and every one of those will allow you to add or remove keys. I have done so myself using a key file at one point. If you have any working key, you can add a new key to your system. Your recovery key would’ve worked if it was generated by systemd-enroll rather than whatever Ubuntu did.

    To fix the problem you have, “recovery keys” need to be turned into real keys. After a bit of conversion, Snap will just call cryptsetup like a normal Linux install would: *cmdAddRecoveryKey.Execute() -> AddRecoveryKeyToLUKSDevice -> AddRecoveryKeyToLUKSDeviceUsingKey -> AddKey.

    All the “recovery key” mechanism is doing is generate a key by itself (a very secure key, but just a normal key nonetheless) and pass it on through to cryptsetup. This key isn’t a normal string you can type in (as it’s purely random), which is why it’s encoded in a weird integer format that’s easy to type into a numpad.

    The snap commands aren’t printing the real key, they’re converting your input to keys during boot. However, if the drive unlocks at all, the user can add a new key, if they can just find how to get the real key out of their system. runFDERevealKeyCommand seems very suspect to me, I believe that command will dump the real key out, though I can’t find the source. I think you need to run fde-reveal-key and feed it something (JSON, I think?).

    This post contains a Go program that will decode the actual key from whatever Snap/Ubuntu turned it into and mount the partition; the parsing code was taken from Snap itself. I’ve taken the code and thrown together the following program to decode the key for your:
    package main

    Code:
    import (
    	"encoding/binary"
    	"errors"
    	"fmt"
    	"os"
    	"strconv"
    )
    
    // ParseRecoveryKey Parse[16]byte interprets the supplied string and returns the corresponding [16]byte. The recovery key is a
    // 16-byte number, and the formatted version of this is represented as 8 5-digit zero-extended base-10 numbers (each
    // with a range of 00000-65535) which may be separated by an optional '-', eg:
    //
    // "61665-00531-54469-09783-47273-19035-40077-28287"
    //
    // The formatted version of the recovery key is designed to be able to be inputted on a numeric keypad.
    func ParseRecoveryKey(s string) (out [16]byte, err error) {
    	for i := 0; i < 8; i++ {
    		if len(s) < 5 {
    			return [16]byte{}, errors.New("incorrectly formatted: insufficient characters")
    		}
    		x, err := strconv.ParseUint(s[0:5], 10, 16) // Base 10 16 bit int
    		if err != nil {
    			return [16]byte{}, errors.New("incorrectly formatted")
    		}
    		binary.LittleEndian.PutUint16(out[i*2:], uint16(x))
    
    		// Move to the next 5 digits
    		s = s[5:]
    		// Permit each set of 5 digits to be separated by an optional '-', but don't allow the formatted key to end or begin with one.
    		if len(s) > 1 && s[0] == '-' {
    			s = s[1:]
    		}
    	}
    
    	if len(s) > 0 {
    		return [16]byte{}, errors.New("incorrectly formatted: too many characters")
    	}
    
    	return
    }
    
    func selfTest() bool {
    	_, e := ParseRecoveryKey("61665-00531-54469-09783-47273-19035-40077-28287")
    
    	if e != nil {
    		return false
    	} else {
    		return true
    	}
    }
    
    func main() {
    	if !selfTest() {
    		fmt.Println("Self-test failed, something went wrong during compilation")
    		return
    	}
    
    	fmt.Println("Please enter your Snap-encoded recovery key below:")
    	var recoveryKey string
    	_, err := fmt.Scanln(&recoveryKey)
    	if err != nil {
    		fmt.Println("Failed to read your key!")
    	}
    
    	if key, e := ParseRecoveryKey(recoveryKey); e != nil {
    		fmt.Printf("Failed to decode recovery key; %s\n", e)
    	} else {
    		fmt.Printf("Your recovery key is: ")
    		_, _ = os.Stderr.Write(key[:])
    		fmt.Println()
    	}
    }
    Steps to run that program:

    1. Install Go
    2. Save the file somewhere (recover.go)
    3. Run the command go run recover.go

    You will find the key dumped into the terminal, but there’s a good chance this is Unicode gibberish. Run the following command to save the key to a file: go run recover.go 2> key.txt; that will dump the key to key.txt rather than print it out. You can then use key.txt to add another key to a LUKS container, for example: cryptsetup luksAddKey --key-file=key.txt /dev/sda4 newkeyheremakesureitsverysecure.

    What I don’t get, is why the Ubuntu folks didn’t take the 16-byte key they generated, turned it into their own weird key format, and use that as a key string. That would keep their generation compatible with cryptsetup, would make the key equally easy to enter and equally secure, and wouldn’t expose these weird bugs. It would’ve cost what, 32 extra bytes in memory?
    Last edited by Irihapeti; October 21st, 2023 at 09:35 AM. Reason: Tidied up some formatting for readability

  5. #15
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    Thank you for finding and posting that! (But... In the nicest way)

    Please... Go back to your post > Select "Edit" > Select "Go Advanced" to get into the Advanced Editor with the extended toolbar > Seelct the text of the code with your mouse. > Select the "#" icon to wrap the code with inserted CODE Tags > Save/Submit.

    A forum policy to only post code and raw output within CODE Tags...



    I'm going to try that and see what it comes up with...

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  6. #16
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    I get sysntax errors with that posted code:
    Code:
    mafoelffen@Mikes-ThinkPad-T520:~/Scripts$ go run ./recovery.go
    # command-line-arguments
    ./recovery.go:19:22: syntax error: unexpected semicolon, expected { after for clause
    ./recovery.go:32:26: syntax error: unexpected semicolon, expected { after if clause
    ./recovery.go:62:27: syntax error: unexpected semicolon in argument list; possibly missing comma or )
    Going to look at it...

    EDIT: I debugged it, and it is useless to be able to use a key. What was wrong, syntax wise, is that what got displayed in the code in that post, mistakenly mixed in HTML codes for characters. I got it debugged and it ran without errors, BUT: What got decoded for my test cases translated recovery code was jibberish. The console cannot display raw hex characters. And his redirection example doesn't work. It then errors as "file not found", because it doesn't give the user a chance to enter the recovery code.

    I know a lot of programming languages, but golang is not one of them. What would need to be able to use that code, is to modify it to write the keyfile directly to a file, instead of trying to display it on the console.

    Dang. I was hopeful.

    EDIT2: I created an account there to ask him if he can add that to his code... Waiting on my account there being approved by the admin's
    Last edited by MAFoElffen; October 20th, 2023 at 05:19 PM.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  7. #17
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    I posted there asking...

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  8. #18
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    We worked it out into a working GoLang script that generates a valid hex key-file translated from the recovery key...

    I tested it on the VM and it unlocks both LUKS Containers and I was able to add new passphrases to the key-slots.

    Late right now. Will get back to this tomorrow.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •