Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: TPM no longer unlocks device

  1. #1
    Join Date
    Jun 2023
    Beans
    6

    TPM no longer unlocks device

    My installation of 23.10 worked really nicely until I did a firmware update, after which I always need to enter the recovery key.
    Is there a way to fix that?

  2. #2
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    Was this an update from fwupdate??? If so, there's a problem which I would considers a being a Bug. If it cleared the TPM, then it cleared the stored passcode for the ecrypted LUKS container... Which is a new, exciting install option that they just started pushing... I don't think they foresaw this kind of thing happening.

    Did you backup your installation lately? Ever?

    What I would do right now, is,
    Before anything else, get a good backup.
    Do
    Code:
    cryptsetup luksAddKey /dev/<diskname>
    to add another key to the key slots to be able to get in.
    File a bug again fwupdate... This is an unforseen problem that they need to work out so that it doesn't start affecting more people.

    If this wasn't from fwupdate, then tell me how the TPM got cleared...

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  3. #3
    Join Date
    Jun 2023
    Beans
    6

    Re: TPM no longer unlocks device

    Thank you for the reply

    I installed an update via the new firmware updater tool and then clicked on 'update checksums' (I know it says that it might break the tpm).
    I can't add a new passphrase to the device because I only have the recovery key, not the actual passphrase. 'sudo cryptsetup luksAddKey /dev/nvme0n1p4' asks me to enter the current passphrase, which I can't because I don't have it.
    If nothing works then I'll just reinstall, I still have all data in a backup, so this would not be a big deal.

    There needs to be a way for the user to get the actual passphrase that is used for encryption.

    The actual passphrase for the encrypted partition gets generated during the setup process, it then said that I can get the recovery key by typing 'sudo snap recovery --show-keys', but again, the recovery key can only be used to unlock the drive during boot,
    not to change/add the actual passphrase.

  4. #4
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    I didn't find this in the LUKS docs... But did find mention of it in a discussion of the Debian cryptsetup discussions. When the installer asks if you want a ackup recovery key, it then generates a passphrase to use as a recoverykey, and stores it in LUKS key - slot 2... So when you add another passphrase, keyfile or use TPM2 systemd-cryptenroll, you can use that recoverykey-passphrase to update it or add more keys...

    RE: https://0pointer.net/blog/unlocking-...stemd-248.html
    There's still plenty room for further improvement in all of this. In particular for the TPM2 case: what the text above doesn't really mention is that binding your encrypted volume unlocking to specific software versions (i.e. kernel + initrd + OS versions) actually sucks hard: if you naively update your system to newer versions you might lose access to your TPM2 enrolled keys (which isn't terrible, after all you did enroll a recovery key — right? — which you then can use to regain access). To solve this some more integration with distributions would be necessary: whenever they upgrade the system they'd have to make sure to enroll the TPM2 again — with the PCR hashes matching the new version. And whenever they remove an old version of the system they need to remove the old TPM2 enrollment.
    I just started reading this, which may help you. Not positive yet if something from there can be used to re-key the TPM yet, but looks promising.
    RE: https://blastrock.github.io/fde-tpm-sb.html

    It has instructions on how to write it to the tpm initially... In a new install.

    But... I still feel that this was a known risk, and should be brought up to launchpad. As it said... It is experimental. I think this is going to happen to other people also, not just you. And not sure yet, if there is yet some kind of dkms process tha reseals the TPM for a Kernel Update. As mentioned in the quotes about. I'm pretty sure that is in place... But if in place, there might be a mechanism there, to re-enroll your tpm.

    Thinking.
    Last edited by MAFoElffen; October 18th, 2023 at 06:34 AM.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  5. #5
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    I'm thinking, it you add one more key to the Luks key - slots, that will gve you a fail-back way in, in case something goes wrong... then delete the first key - slot. That should be the TPM key. Gen a key key for that add that key to the first slot, then save that to the TPM.

    The TPM should not be a worry in overwriting a slot, because it was cleared.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  6. #6
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    Okay. I installed 23.10 as encrypted TPM in a VM and zero'ed the TPM so I could replicate the problem and tested this. It works, and should solve your problem.
    Code:
    sudo su
    grep . /etc/cryptab
    # Save the information from the tpm unlock line
    ls -l /dev/disk/by-id
    # Use ls -l /dev/disk/by-id to get the information of this to change "<luks_root_partition>" to that information...
    # That partition will include "-part#'" to identify which partition on that disk it is...
    LuksPartition=/dev/disk/by-id/<luks_root_partition>
    # Verify that is the correct partition
    blkid $LuksPartition
    # Verify that the output says TYPE="crypto_LUKS"
    
    cryptsetup -v open --test-passphrase $LuksPartition
    # This will tell you the key - slot of the recovery key key-slot
    
    # add a new key as a backup passphrase
    crypsetup -v lukAddKeys $LuksPartition
    # Enter the recovery key to confirm it
    # Will tell you which key-slot it adds it to
    
    cryptsetup luksDump $LuksPartition | grep 'Key Slot [0-7]:'
    # fFind the other key slot (1 of 3) that wasn't indicated above
    # Most likely Key Slot 0(?)
    
    # Adjust the number at the end of this to that key-slot
    crysetup -v luksKillSlot $LuksPartition 0
    dd if=/dev/random bs=64 count=1 | xxd -p -c999 | tr -d '\n' > /root/luks_key
    cryptsetup luksAddKey $LuksPartition /root/luks_key --pbkdf-force-iterations=4 --pbkdf-parallel=1  --pbkdf-memory=32
    ## Enter any existing passphrase: <enter your existing recovery key or new passphrase here>
    
    # Seal the TPM with the new key...
    tpm2-initramfs-tool seal --data $(cat /root/luks_key) --pcrs 0,2,7
    EDIT: To write this post, I had to use "key-slot" instead of that, without the dash... The Forum filter if done without the dash, filters into ke***** .

    I would back up that TPM key somewhere in a USB Flash Drive, kept some secure, as a backup, in case this happens again, before deleting it from the root's user directory... That way, if it happens again, all you will have to do it, is rewrite that backed key to your TPM.
    Last edited by MAFoElffen; October 18th, 2023 at 03:29 PM. Reason: Added verifications to clarify to user...

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  7. #7
    Join Date
    Jun 2023
    Beans
    6

    Re: TPM no longer unlocks device

    Thank you for taking the time to write this answer, but I cannot follow along because the recovery key apparently doesn't count as one of the passphrases for the encrypted drive. Unlocking at boot works with the recovery key, but for example ' cryptsetup -v luksAddKey $LuksPartition' asks for 'any available passphrase', but does not accept the recovery key.
    I'm going to reinstall.

  8. #8
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    Dang. The doc's say the recovery key is considered as a passphrase. It worked on the VM I created, but then again, I setup the recovery key during the install and backed it up to a USB drive, just after the install completed, before rebooting for the first reboot...

    That doesn't work on yours as a passphrase? It works on this VM(???) Oh well.

    Wait... --showkeys should not work for you with LUKS2. Did that show you a key? Nevermind, I respun it and saw it again...
    Code:
    sudo snap recover --show-keys
    Yes. If the key doesn't count as a passphrase on yours, then you have no choice but to re-install Because you cannot add or change a key without a valid passphrase or a key file....

    EDIT: You are right, It lets me open the volumes... with the recovery key... Only on boot... But that is not what is being used to unlock the LUKS containers directly, both /dev/sda3 and /dev/sda4 (both are LUKS...)
    Last edited by MAFoElffen; October 18th, 2023 at 11:27 PM.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  9. #9
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: TPM no longer unlocks device

    I started this Bug Report, as i could recreate what was going on: https://bugs.launchpad.net/ubuntu-de...r/+bug/2039741

    You might want to select the link as "Also affected"... So they know it is not just an isolated, one-time, only affects one-user kind of thing.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  10. #10
    Join Date
    Jun 2023
    Beans
    6

    Re: TPM no longer unlocks device

    Thank you for taking the time to look into this. Bugs are bad, but I'm kinda happy that you can confirm my issue.
    Kind of crazy that we found this, verifying that the recovery key is actually useful for unlocking the disk should've been tested more thoroughly.
    Thank you for creating the bug report.

    I reinstalled without tpm encryption, I'll have to look into involving the tpm in a post-installation scenario.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •