FS#77562 - [systemd] Add systemd-pcrphase-initrd.service to mkinitcpio systemd hook
Attached to Project:
Arch Linux
Opened by Fabian Klemp (Faerbit) - Saturday, 18 February 2023, 12:26 GMT
Last edited by Toolybird (Toolybird) - Saturday, 27 May 2023, 06:22 GMT
Opened by Fabian Klemp (Faerbit) - Saturday, 18 February 2023, 12:26 GMT
Last edited by Toolybird (Toolybird) - Saturday, 27 May 2023, 06:22 GMT
|
Details
Description:
Currently only systemd-pcrphase.service and systemd-pcrphase-sysinit.service are executed. This leads to all hash values in PCR 11 being out-of-sync/wrong, since the expectation from upstream is that systemd-pcrphase-initrd is executed in the initrd (i.e. "enter-initrd" and "leave-initrd" are measured into PCR 11). Additional info: Observed with systemd version 253 man systemd-measure man systemd-pcrphase Steps to reproduce: * cd /etc/systemd * sudo openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem * sudo openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem * sudo /usr/lib/systemd/ukify --cmdline @/etc/kernel/cmdline-lts --os-release @/usr/lib/os-release --splash /usr/share/systemd/bootctl/splash-arch.bmp --pcrpkey /etc/systemd/tpm2-pcr-public-key.pem --pcr-public-key /etc/systemd/tpm2-pcr-public-key.pem --pcr-private-key /etc/systemd/tpm2-pcr-private-key.pem --secureboot-private-key /usr/share/secureboot/keys/db/db.key --secureboot-certificate /usr/share/secureboot/keys/db/db.pem --pcr-banks=sha256 /boot/vmlinuz-linux-lts /boot/initramfs-linux-lts.img --output=/efi/EFI/Linux/ukify.efi --measure &> ukify_out.log Adjust pathes as necessary. Secureboot is likely irrelevant to this issue, but this is how I tested it on my system. Compare "systemd-measure measure" output in ukify_out.log to actual values obtained (after boot of ukify.efi) with "/usr/lib/systemd/systemd-measure status" Suggested remediation: Add systemd-pcrphase-initrd.service to systemd mkinitcpio hook |
This task depends upon
Closed by Toolybird (Toolybird)
Saturday, 27 May 2023, 06:22 GMT
Reason for closing: Fixed
Additional comments about closing: systemd 253.1-3
as confirmed in linked BBS thread.
Saturday, 27 May 2023, 06:22 GMT
Reason for closing: Fixed
Additional comments about closing: systemd 253.1-3
as confirmed in linked BBS thread.
This will make PCR 11 match the values pre-calculated by `systemd-measure` on my system.
I also filed the following issues upstream:
* https://github.com/systemd/systemd/issues/26428
Fixes a bug in sd-stub, when polulating the .pcrsig section in the UKI
Already has a fix: https://github.com/systemd/systemd/pull/26445
Added this to my locally running systemd package, which fixes the issue for me
* https://github.com/systemd/systemd/issues/26490
Make the UKI-embedded PCR signature accessible for auto-discovery
No response yet upstream, but one might want to consider to add the resulting service to some mkinitcpio hook as well.
Currently worked around on my system using `tpm2-signature=/.extra/tpm2-pcr-signature.json` in my `/etc/crypttab.initramfs`
With all of the fixes outlined above applied, I have a working rootfs unlock from my initrd using ´systemd-measure´ signatures.
I'm not sure of how much Archlinux is interested in making all of this accessible by default, but I figured since there was no effort of stopping the `systemd-pcrphase` services later on in the boot process, the measured values might as well make sense by including `systemd-pcrphase-initrd` into the initrd
If not yet fixed things will work if upstream merges.
The service seems to rely on dlopened objects and in the current state just fails w/ an error.