Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add LUKS support via Clevis TPM 2 token #1200

Merged
merged 5 commits into from
Nov 4, 2024
Merged

Conversation

danzatt
Copy link
Contributor

@danzatt danzatt commented Apr 16, 2024

tldr; Add a LuksScanner actor which scans all crypt devices using cryptsetup luksDump. Don't inhibit, when all devices are LUKS2 with clevs TPM2 token.

So far, upgrades with encrypted drives were not supported. Encrypted
drives require interactively typing unlock passphrases, which is not
suitable for automatic upgrades using Leapp. We add a feature, where
systems with all drives configured with automatic unlock method can be
upgraded.

Currently, we only support drives configured with Clevis/TPM2 token,
because networking is not configured during Leapp upgrade (excluding
NBDE).

We consume LuksDumps message to decide whether the upgrade process
should be inhibited. If there is at least one LUKS2 device without
Clevis TPM2 binding, we inhibit the upgrade because we cannot tell if
the device is not a part of a more complex storage stack and the failure
to unlock the device migt cause boot problem.

Note that IPU 7 -> 8 with encrypted devices stays unsupported / inhibited.
The new solution is applied only for upgrades from RHEL 8+.

jira: RHEL-3294

This PR introduces new shortened URLs:

/cc @pirat89

Copy link

Thank you for contributing to the Leapp project!

Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergeable.
If you want to request a review or rebuild a package in copr, you can use following commands as a comment:

  • review please @oamg/developers to notify leapp developers of the review request
  • /packit copr-build to submit a public copr build using packit

Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build. If you need a different version of leapp, e.g. from PR#42, use /packit test oamg/leapp#42
Note that first time contributors cannot run tests automatically - they will be started by a reviewer.

It is possible to schedule specific on-demand tests as well. Currently 2 test sets are supported, beaker-minimal and kernel-rt, both can be used to be run on all upgrade paths or just a couple of specific ones.
To launch on-demand tests with packit:

  • /packit test --labels kernel-rt to schedule kernel-rt tests set for all upgrade paths
  • /packit test --labels beaker-minimal-8.10to9.4,kernel-rt-8.10to9.4 to schedule kernel-rt and beaker-minimal test sets for 8.10->9.4 upgrade path

See other labels for particular jobs defined in the .packit.yaml file.

Please open ticket in case you experience technical problem with the CI. (RH internal only)

Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra.

@danzatt danzatt force-pushed the add-luks-support branch 4 times, most recently from 9fa57ae to f8346e4 Compare April 19, 2024 14:22
@danzatt danzatt changed the title [WIP] Add LUKS support Add LUKS support Apr 22, 2024
@pirat89
Copy link
Member

pirat89 commented Apr 22, 2024

@danzatt Hi Dan \o most likely I will get to the review during early May or later June. We are dealing now with additional stuff.

@danzatt danzatt changed the title Add LUKS support Add LUKS support via Clevis TPM 2 token Apr 24, 2024
@pirat89 pirat89 added the enhancement New feature or request label May 10, 2024
@pirat89
Copy link
Member

pirat89 commented May 10, 2024

/packit test

@danzatt danzatt force-pushed the add-luks-support branch from f8346e4 to d7693a8 Compare May 21, 2024 13:31
@pirat89
Copy link
Member

pirat89 commented May 22, 2024

@danzatt I haven't went through the whole code yet, but covered most of it. I found some things that could be changed, and some that needs to be changed. I do not expect I will find anything else in the rest of the code (and not sure when I will get to it), but i am letting you know about that in advance, in case you would like to wait for the full review.

@danzatt danzatt force-pushed the add-luks-support branch from d7693a8 to ff4adae Compare June 24, 2024 17:06
@danzatt
Copy link
Contributor Author

danzatt commented Jun 24, 2024

Hello @pirat89 thanks for the review! I've hopefully addressed all your remarks now.

Copy link
Member

@pirat89 pirat89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's mostly ok. Just some minor changes should be done. Let's sync during the day to discuss it.

@pirat89
Copy link
Member

pirat89 commented Aug 2, 2024

/packit copr-build

@pirat89
Copy link
Member

pirat89 commented Aug 2, 2024

/packit copr-build

@pirat89 pirat89 force-pushed the add-luks-support branch 2 times, most recently from 24a3baa to 6e3163d Compare August 2, 2024 11:59
@pirat89
Copy link
Member

pirat89 commented Aug 6, 2024

/packit copr-build

@pirat89 pirat89 added the report Any reports have been added / removed / changed in the PR label Aug 6, 2024
@pirat89
Copy link
Member

pirat89 commented Oct 9, 2024

/packit copr-build

pirat89
pirat89 previously approved these changes Oct 9, 2024
Copy link
Member

@pirat89 pirat89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will wait for another co-review before merging as I helped with some parts of the code but for now I consider it ready to merge from my side. I will possibly do some additional testing before the merge too.

Modify the StorageInfo model to include path and name of the parent
device. Use StorageScanner to collect this information.

Morover fix lsblk test, there should be a full device path in "lsblk
-pbnr" output (just names were used in the original test).
pirat89
pirat89 previously approved these changes Oct 15, 2024
@pirat89
Copy link
Member

pirat89 commented Oct 15, 2024

/packit copr-build

Copy link
Member

@matejmatuska matejmatuska left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codewise okay, just a few non-blocking minor suggestions :).

@dkubek
Copy link
Member

dkubek commented Oct 17, 2024

I went over the code and up to some details it looks good. I manually tested that the upgrade is inhibited on 8->9. Also performed a successful upgrade on a VM with TPM.

danzatt and others added 3 commits October 18, 2024 07:34
Add LuksScanner actor that runs 'cryptsetup luksDump' for all 'crypt'
from lsblk output. The output is then parsed and filled into LuksDump
and LuksToken models.

The LuksDump model contains information about LUKS version, device UUID,
corresponding device path, name of the backing device (which contains
the LUKS header) and a list of LuksToken models.

LuksToken model represents a token associated with the given LUKS
device. It contains token ID, IDs of associated keyslot and token type.
If the token type is "clevis", we use "clevis luks list" command to
determine the clevis-specific subtype and append it to the token name.
E.g. if there is a "clevis" token and "clevis luks list" returns "tpm2",
the token type will be "clevis-tpm2".
So far, upgrades with encrypted drives were not supported. Encrypted
drives require interactively typing unlock passphrases, which is not
suitable for automatic upgrades using Leapp. We add a feature, where
systems with all drives configured with automatic unlock method can be
upgraded.

Currently, we only support drives configured with Clevis/TPM2 token,
because networking is not configured during Leapp upgrade (excluding
NBDE).

We consume LuksDumps message to decide whether the upgrade process
should be inhibited. If there is at least one LUKS2 device without
Clevis TPM2 binding, we inhibit the upgrade because we cannot tell if
the device is not a part of a more complex storage stack and the failure
to unlock the device migt cause boot problem.

Co-authored-by: Petr Stodůlka <[email protected]>
The actor nowadays does more then just inhibiting the upgrade when
LUKS is detected. Let's rename it to respect current behaviour.
@pirat89
Copy link
Member

pirat89 commented Oct 18, 2024

/packit copr-build

@pirat89
Copy link
Member

pirat89 commented Nov 1, 2024

/packit copr-build

Copy link
Member

@matejmatuska matejmatuska left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks alright now, I also went over the changes after @dkubek's review and seems that everything is addressed, but leaving that up to him to approve.

Just note that I dind't test this as it has already been tested by @pirat89 and @dkubek and there weren't functional changes since.

@pirat89
Copy link
Member

pirat89 commented Nov 4, 2024

From manual testing (VM with emulated tpm2):

  • LUKS1: inhibited
  • converted to LUKS2 (without clevis+tpm2 binding): inhibited
  • binded to clevis+tpm2: passed
  • upgrade: passed

Adding some notes for simpler reproduce of steps I ddi:

  • convert L1 -> L2, for usual minimal setup on VM:
# add cryptsetup to initramfs so the conversion from initramfs is possible
dracut -f --install cryptsetup
reboot

# after reboot, update kernel-cmdline: rd.break=initqueue
# once in emergency console (typically for minimal VM):
cryptsetup convert --type luks2 /dev/vda2
  • bind clevis+tpm2
# install required rpms
dnf -y install clevis-luks clevis-dracut

# set the binding - note that possibly you will want to set also specific PCR register - in this case, using just default
clevis luks bind -yd /dev/vda2 tpm2 '{"hash":"sha256","key":"rsa"}'
dracut -f --regenerate-all

NOTE: shortened URLs are not set yet; they will be updated in upcoming weeks most likely

@pirat89 pirat89 merged commit 8e5fe75 into oamg:main Nov 4, 2024
26 checks passed
@pirat89
Copy link
Member

pirat89 commented Nov 4, 2024

@danzatt 💯 🎆 it's finally over! thanks for your contribution and help!!

@pirat89 pirat89 added the changelog-checked The merger/reviewer checked the changelog draft document and updated it when relevant label Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
changelog-checked The merger/reviewer checked the changelog draft document and updated it when relevant enhancement New feature or request report Any reports have been added / removed / changed in the PR shortened-urls PR is introducing new shortened red.ht URLs
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants