Bug#1080390: shim-signed: Unable to unlock disk via TPM2 after update to 1.44+15.8 in bookworm
Package: shim-signed
Version: 1.44~1+deb12u1+15.8-1~deb12u1
Severity: important
Dear Maintainer,
after updating the shim-signed package to 1.44~1+deb12u1+15.8~deb12u1,
unlocking the LUKS drive automatically via the tpm as enrolled through
systemd-cryptenroll fails because the value of PCR 7 changes.
This is problematic in our setup, because only the IT administrator
has the LUKS passphrase which can be used as a fallback unlock method.
Therefore, manual intervention for unlocking and re-enrolling the TPM
is needed.
At least a NEWS entry should be displayed before the update, and
possibly a solution to automatically re-enroll after a successful unlock
via passphrase added (via systemd unit file? maybe a systemd wishlist
item? `keyctl update` to reseal?).
In any case, a blind update causes a serious regression for us. We
understand this is intended behavior, but we should at least have
a way to know before applying the update.
Thanks!
Matteo Settenvini
Here is the luks setup:
-----------------------------------------------------
LUKS header information
Version: 2
Epoch: 6
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: bd26d0e0-251d-44e8-8c90-360fe990d412
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 14
Memory: 1048576
Threads: 4
Salt: 07 d3 6a cf 4c c3 d7 c9 53 a9 69 e2 ef b9 79 2c
21 88 74 3a df 64 1a 91 63 18 b8 36 d8 7c e8 e5
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 6d 56 24 f6 82 e1 7a 50 37 12 50 db f5 0c 55 c4
38 68 2c 27 61 bf 46 ce f5 e6 d1 4a 99 12 b8 b8
AF stripes: 4000
AF hash: sha512
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
2: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 14
Memory: 1048576
Threads: 4
Salt: 10 30 2f 6d 11 a7 24 60 a5 f2 8b 4a 13 f5 cc 27
08 d6 e2 ba a1 57 0b d9 37 a4 ef 8f 6f bc 95 f9
AF stripes: 4000
AF hash: sha256
Area offset:548864 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
0: systemd-tpm2
tpm2-hash-pcrs: 7
tpm2-pcr-bank: sha256
tpm2-pubkey:
(null)
tpm2-pubkey-pcrs: n/a
tpm2-primary-alg: ecc
tpm2-blob: 00 9e 00 20 28 74 43 7e c3 54 e2 d6 06 94 56 db
8f e0 ff 30 3f 9a df 8b 54 f0 fe 1c 92 5f 87 28
06 c3 9d e8 00 10 36 c0 56 41 85 e8 65 58 f3 4a
c4 83 56 29 78 2b 95 f5 78 8a 6b dc 10 42 e8 0e
b9 f6 d6 a4 6f 42 0e bc 55 e2 67 69 51 38 04 3b
93 29 21 1f 42 af f3 98 0d b3 bd 1b dc 54 d9 99
a3 cf 0e b9 0e 9d da 3f 48 47 c3 ea 38 c8 80 ff
cb 1d 2a 59 7d 8a 53 ad bf 99 f9 92 0a a5 e5 61
e6 a1 00 c7 b5 a2 4c d9 2c de 21 5a b5 bf 82 c2
4e 05 4e 5b c9 11 21 57 5a ad 9a 3d 8e f7 3b 33
00 4e 00 08 00 0b 00 00 00 12 00 20 d3 ef d1 d5
46 82 85 64 9e f0 88 2e 22 59 9b 59 c0 24 83 07
0e 95 fc 38 0e 73 cb da 63 89 56 6c 00 10 00 20
6f 82 6a a3 04 80 95 03 7b 63 c6 af 22 53 c5 f4
d6 d6 1e bf 1a 0d 29 19 e4 0b 90 8b e1 60 73 54
tpm2-policy-hash:
d3 ef d1 d5 46 82 85 64 9e f0 88 2e 22 59 9b 59
c0 24 83 07 0e 95 fc 38 0e 73 cb da 63 89 56 6c
tpm2-pin: false
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 356173
Salt: 76 84 f0 bb f4 64 6c f4 4e 47 28 4f fb c5 44 8b
19 33 db e9 a6 e7 e9 02 d0 be 94 e3 47 24 42 25
Digest: 72 cb 20 43 56 1d f5 fe 79 ff 99 81 9a 9f 8d a3
c1 1e 8d 47 06 c7 66 38 cb e9 77 2c 53 2e 36 26
-----------------------------------------------------
And these are the values before and after the update:
BEFORE:
-----------------------------------------------------
root@de013-cx4274:~# cat 20240902-last-PCR-Dump-S.txt
sha1:
sha256:
0 : 0x560AFD9ABC6C9DE6AA183A833AE71258F17A21D9EBC45CC2EF4CBE32DC94A564
1 : 0xF358E4875E329F97733629B113F5AAD170BC123C27EE687BBDA8F0266B1A28E5
2 : 0x46EE38507CD391F4A3C2B4FBF4937C1777BF2BD60C4C29FD4242C99C00A9130A
3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
4 : 0xCE0BD5054631786D3DD503B9BB6F12D28E94EB3C20AE0B296EF3EAA0177BA2D2
5 : 0x600EC56C092AE91E97F695401EDCCC6CD1A25B44B32CED97FB65A26CDBA451FD
6 : 0x3636543C936F42EAF3AD6CB84454E7938270FF51F40F493B462A32A87CC3F81A
7 : 0xB1B70331A88FA4D1B37FDB0C6969CCB4E51EE7392907664D1831A60117D64AE8
8 : 0xF83E55D2158D140D8FC42E6754CFBEDF9D11944F1193127DFF29D96879E5009E
9 : 0x75FDD30EC254AEE5879804723DBC6FCE579C50DBFB0893343EE12A3B058D572E
10: 0x6280FA9545FA8F49B9DCD4C10462F8F63983BDAF4505F81288FBD600548E51AA
11: 0x0000000000000000000000000000000000000000000000000000000000000000
12: 0x0000000000000000000000000000000000000000000000000000000000000000
13: 0x0000000000000000000000000000000000000000000000000000000000000000
14: 0x654BF590AB03D79F71261BCA2F4273CBFA5FD2E414BA312F4A65CD13981F6A1D
15: 0x0000000000000000000000000000000000000000000000000000000000000000
16: 0x0000000000000000000000000000000000000000000000000000000000000000
17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
23: 0x0000000000000000000000000000000000000000000000000000000000000000
sha384:
sha3_256:
sha3_384:
-----------------------------------------------------
AFTER:
-----------------------------------------------------
root@de013-cx4274:~# tpm2_pcrread
sha1:
sha256:
0 : 0x560AFD9ABC6C9DE6AA183A833AE71258F17A21D9EBC45CC2EF4CBE32DC94A564
1 : 0x26549FF408E68E54E5FEB6F9814D8848EB8ED3C3D049729533C9B32E0335370A
2 : 0x46EE38507CD391F4A3C2B4FBF4937C1777BF2BD60C4C29FD4242C99C00A9130A
3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
4 : 0x9DEFEC70F9EB3B5E2A7FDF418C54B698B3B39AFCF9B5153AC9A471FD3112AB45
5 : 0x600EC56C092AE91E97F695401EDCCC6CD1A25B44B32CED97FB65A26CDBA451FD
6 : 0x3636543C936F42EAF3AD6CB84454E7938270FF51F40F493B462A32A87CC3F81A
7 : 0x744B05D4526FC8C4C1A20267B171CB5EED143D1E4CD807693473C482EA3826CB
8 : 0xF83E55D2158D140D8FC42E6754CFBEDF9D11944F1193127DFF29D96879E5009E
9 : 0x75FDD30EC254AEE5879804723DBC6FCE579C50DBFB0893343EE12A3B058D572E
10: 0x3D399603A532FDD2E3DDF673848DE34E764A7291360D68A1B1162AC25D82994B
11: 0x0000000000000000000000000000000000000000000000000000000000000000
12: 0x0000000000000000000000000000000000000000000000000000000000000000
13: 0x0000000000000000000000000000000000000000000000000000000000000000
14: 0x654BF590AB03D79F71261BCA2F4273CBFA5FD2E414BA312F4A65CD13981F6A1D
15: 0x0000000000000000000000000000000000000000000000000000000000000000
16: 0x0000000000000000000000000000000000000000000000000000000000000000
17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
23: 0x0000000000000000000000000000000000000000000000000000000000000000
sha384:
sha3_256:
sha3_384:
-----------------------------------------------------
-- System Information:
Debian Release: 12.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-25-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_AUX
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii grub-efi-amd64-bin 2.06-13+deb12u1
ii grub2-common 2.06-13+deb12u1
ii shim-helpers-amd64-signed 1+15.8+1~deb12u1
ii shim-signed-common 1.44~1+deb12u1+15.8-1~deb12u1
shim-signed recommends no packages.
shim-signed suggests no packages.
-- no debconf information
Reply to: