Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fdo-aio service failed to re-encrypt disk on fedora 39 #605

Closed
yih-redhat opened this issue Jan 19, 2024 · 17 comments
Closed

fdo-aio service failed to re-encrypt disk on fedora 39 #605

yih-redhat opened this issue Jan 19, 2024 · 17 comments
Assignees
@7flying
Labels
bug Something isn't working jira

Comments

@yih-redhat
Copy link

yih-redhat commented Jan 19, 2024
edited
Loading

Problem description:
On a fedora 39, install fdo-admin-cli and start fdo-aio.service, then create iot-simplified-installer image and provision edge vm with it, login edge vm and check fdo client log, it shows failed to perform disk re-encryption
Note: If do not use fdo-aio service, but use standalone fdo-rendezvous-server/fdo-owner-onboarding-server/fdo-manufacturing-server, it works as expected. For example, this test case works well on fedora 39, https://github.com/virt-s1/rhel-edge/blob/main/ostree-simplified-installer.sh#L27-L57

Reproduce steps:

  1. Prepare a fedora 39 machine, install osbuild-composer and fdo-admin-cli
  2. Configure disk encryption in fdo config file /etc/fdo/aio/configs/serviceinfo_api_server.yml
    [root@yih-f39-43243 ~]# cat /etc/fdo/aio/configs/serviceinfo_api_server.yml
    service_info:
    initial_user:
    username: fdouser
    sshkeys:
    • {PUB_KEY}
      files:
    • path: /etc/sudoers.d/fdouser
      source_path: /var/lib/fdo/fdouser
      commands: null
      diskencryption_clevis:
    • disk_label: /dev/vda3
      reencrypt: true
      binding:
      pin: tpm2
      config: '{}'
      additional_serviceinfo: null
      after_onboarding_reboot: false
      bind: 0.0.0.0:8083
      service_info_auth_token: L9222oOWoE/CqdC86H7Rkixer6HFtfyX9m/djUFloSY=
      admin_auth_token: oCKtbbwfiwTJ4kZfPgXBnj2Hxl3pECFxknx4pgbCkWI=
      device_specific_store_driver:
      Directory:
      path: /etc/fdo/aio/stores/serviceinfo_api_devices
  3. Build an iot-simplified-installer image with blueprint like this:
    name = "installer"
    description = "A rhel-edge simplified-installer image"
    version = "0.0.1"
    modules = []
    groups = []
    [customizations]
    installation_device = "/dev/vda"
    [[customizations.user]]
    name = "simple"
    description = "Administrator account"
    password = "${EDGE_USER_PASSWORD_SHA512}"
    key = "${SSH_KEY_PUB}"
    home = "/home/simple/"
    groups = ["wheel"]
    [customizations.fdo]
    manufacturing_server_url="http://${FDO_SERVER_ADDRESS}:8080"
    diun_pub_key_insecure="true"
  4. Provision edge vm with this image as httpboot.
  5. Login edge vm, and check fdo client log:
    Jan 22 06:44:37 localhost.localdomain systemd[1]: Starting fdo-client-linuxapp.service - FDO client...
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.662Z INFO fdo_client_linuxapp > Found device credential at FileSystemPath { path: "/boot/device-credentials", deactivation_method: None }
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.719Z INFO fdo_client_linuxapp > Got TO2 addresses: ["http://10.0.188.165:8081", "http://2620:52:0:bc:60ad:5344:9114:7612:8081", "http://fe80::7d5f:fcee:1fbe:95d0:8081"]
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.719Z INFO fdo_client_linuxapp > Performing TO2 protocol, URL: "http://10.0.188.165:8081"
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.757Z INFO fdo_client_linuxapp::serviceinfo > Username is: fdouser
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.757Z INFO fdo_client_linuxapp::serviceinfo > Keys are present
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.757Z INFO fdo_client_linuxapp::serviceinfo > Creating file "/etc/sudoers.d/fdouser" with 32 bytes (mode 384)
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.766Z INFO fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.975Z ERROR fdo_client_linuxapp > ServiceInfo failed, error: Error processing returned serviceinfo
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Caused by:
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 0: Error executing clevis
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 1: Error executing disk encryption for disk label /dev/vda3
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2: Error rebinding clevis
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 3: Error binding clevis
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 4: Failed to bind clevis: ExitStatus(unix_wait_status(256)), stdout: , stderr:
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Error: Password generation failed - required entropy too low for settings
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Unable to generate a new key
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Error adding new binding to /dev/vda3
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]:
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.977Z ERROR fdo_client_linuxapp > Error performing TO2 ownership protocol
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Caused by:
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Error performing the ServiceInfo roundtrips with TO2 address http://10.0.188.165:8081
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.977Z INFO fdo_client_linuxapp > Performing TO2 protocol, URL: "http://2620:52:0:bc:60ad:5344:9114:7612:8081"
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.992Z ERROR fdo_client_linuxapp > Error performing TO2 ownership protocol
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: Caused by:
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 0: Error sending HelloDevice
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 1: Error performing request
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2: builder error: invalid port number
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 3: invalid port number with TO2 address http://2620:52:0:bc:60ad:5344:9114:7612:8081
    Jan 22 06:44:37 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:37.993Z INFO fdo_client_linuxapp > Performing TO2 protocol, URL: "http://fe80::7d5f:fcee:1fbe:95d0:8081"
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.006Z ERROR fdo_client_linuxapp > Error performing TO2 ownership protocol
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: Caused by:
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 0: Error sending HelloDevice
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 1: Error performing request
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2: builder error: invalid port number
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 3: invalid port number with TO2 address http://fe80::7d5f:fcee:1fbe:95d0:8081
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.020Z ERROR fdo_client_linuxapp > Error performing TO1 with ServiceClient { protocol_version: Version1_1, base_url: "http://2620:52:0:bc:60ad:5344:9114:7612:8082", client: Client { accepts: Accepts, proxies: [Proxy(System({}), None)], referer: true, default_headers: {"accept": "/"} }, authorization_token: None, encryption_keys: EncryptionKeys { cipher_suite: None, keys: None }, last_message_type: Some(Error), non_interoperable_kdf_required: None }
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.021Z ERROR fdo_client_linuxapp > Error Couldn't get TO1 from any Rendezvous server! getting usable To1d from rv_entry RendezvousInterpretedDirective { ip_addresses: Some([IPAddress(2620:52:0:bc:60ad:5344:9114:7612)]), dns_name: None, port: 8082, server_certificate_hash: None, ca_certificate_hash: None, user_input: false, wifi_ssid: None, wifi_password: None, medium: None, protocol: Http, delay: 0, bypass: false }
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.035Z ERROR fdo_client_linuxapp > Error performing TO1 with ServiceClient { protocol_version: Version1_1, base_url: "http://fe80::7d5f:fcee:1fbe:95d0:8082", client: Client { accepts: Accepts, proxies: [Proxy(System({}), None)], referer: true, default_headers: {"accept": "/"} }, authorization_token: None, encryption_keys: EncryptionKeys { cipher_suite: None, keys: None }, last_message_type: Some(Error), non_interoperable_kdf_required: None }
    Jan 22 06:44:38 localhost.localdomain fdo-client-linuxapp[1192]: 2024-01-22T06:44:38.035Z ERROR fdo_client_linuxapp > Error Couldn't get TO1 from any Rendezvous server! getting usable To1d from rv_entry RendezvousInterpretedDirective { ip_addresses: Some([IPAddress(fe80::7d5f:fcee:1fbe:95d0)]), dns_name: None, port: 8082, server_certificate_hash: None, ca_certificate_hash: None, user_input: false, wifi_ssid: None, wifi_password: None, medium: None, protocol: Http, delay: 0, bypass: false }
  6. Check disk encryption status, it's not encrypted.
    [simple@localhost ~]$ sudo cryptsetup luksDump /dev/vda3
    LUKS header information
    Version: 2
    Epoch: 6
    Metadata area: 16384 [bytes]
    Keyslots area: 16744448 [bytes]
    UUID: bdde839c-f948-46ab-a0c5-f42875b9e80e
    Label: crypt_root
    Subsystem: (no subsystem)
    Flags: (no flags)

Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: cipher_null-ecb
sector: 512 [bytes]

Keyslots:
1: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 1000
Salt: a3 08 1f e7 96 cc 97 f0 d1 a5 7d 71 6b bd 3d 55
75 f7 ea e2 b4 a4 65 78 31 1c e5 18 37 7a ae 36
AF stripes: 4000
AF hash: sha256
Area offset:163840 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
0: clevis
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 1000
Salt: cc f7 6e b1 2b ee bb 8c 80 bd d9 72 cf a8 1a b1
88 e0 e9 32 3b f4 4d 43 7a a7 60 39 02 cb 71 da
Digest: f4 8f 33 c4 d0 33 6f 6e 62 df 58 25 2a 84 14 3c
d1 0a 69 45 7a 11 f7 96 27 6b 06 d6 28 b8 c3 eb
@yih-redhat yih-redhat reopened this Jan 22, 2024
@yih-redhat
Copy link
Author

@7flying Could you please take a look of this bug?

@yih-redhat yih-redhat mentioned this issue Jan 22, 2024
Closed
3 tasks
@7flying
Copy link
Contributor

7flying commented Jan 22, 2024

@yih-redhat can you give me the versions of the FDO packages? I'm going to try to reproduce it out of composer first.

@yih-redhat
Copy link
Author

[root@yih-f39-43243 ~]# rpm -qa|grep fdo
fdo-rendezvous-server-0.4.12-6.fc39.x86_64
fdo-owner-onboarding-server-0.4.12-6.fc39.x86_64
fdo-owner-cli-0.4.12-6.fc39.x86_64
fdo-manufacturing-server-0.4.12-6.fc39.x86_64
fdo-init-0.4.12-6.fc39.x86_64
fdo-client-0.4.12-6.fc39.x86_64
fdo-admin-cli-0.4.12-6.fc39.x86_64

@7flying 7flying added bug Something isn't working jira labels Jan 25, 2024
@7flying 7flying self-assigned this Jan 30, 2024
@7flying
Copy link
Contributor

7flying commented Feb 1, 2024
edited
Loading

@yih-redhat do you have the logs from the rendezvous-server? and owner-onboarding server. Thanks

@7flying
Copy link
Contributor

7flying commented Feb 5, 2024

What I'm consistently getting are errors like this one:

 2024-02-05T11:12:12.572Z WARN  fdo_serviceinfo_api_server > Request with invalid auth token

@yih-redhat
Copy link
Author

@7flying I have reproduced this bug, and I will send you the env information in slack.

@7flying
Copy link
Contributor

7flying commented Feb 12, 2024

If we get the full log we see that is a selinux denial:

[simple@localhost ~]$ journalctl | grep fdo
Feb 12 09:26:14 localhost.localdomain systemd[1]: Starting fdo-client-linuxapp.service - FDO client...
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.137Z INFO  fdo_client_linuxapp > Found device credential at FileSystemPath { path: "/boot/device-credentials", deactivation_method: None }
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.169Z INFO  fdo_client_linuxapp > Got TO2 addresses: ["http://192.168.1.49:8081", "http://10.45.226.7:8081", "http://fe80::67bb:6b28:931f:f36e:8081", "http://2620:52:0:2de0::1206:8081", "http://fe80::8a46:e9f0:8599:84d9:8081"]
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.169Z INFO  fdo_client_linuxapp > Performing TO2 protocol, URL: "http://192.168.1.49:8081"
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.209Z INFO  fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain audit[1283]: AVC avc:  denied  { search } for  pid=1283 comm="pwmake" name="cracklib" dev="dm-1" ino=428846 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Feb 12 09:26:14 localhost.localdomain audit[1283]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffef6b59a40 a2=0 a3=0 items=0 ppid=1272 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:system_r:fdo_t:s0 key=(null)
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.321Z ERROR fdo_client_linuxapp              > ServiceInfo failed, error: Error processing returned serviceinfo
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]: Caused by:
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     0: Error executing clevis
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     1: Error executing disk encryption for disk label /dev/vda3
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     2: Error rebinding clevis
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     3: Error binding clevis
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     4: Failed to bind clevis: ExitStatus(unix_wait_status(256)), stdout: , stderr:
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        Error: Password generation failed - required entropy too low for settings
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        Unable to generate a new key
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        Error adding new binding to /dev/vda3
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:        
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.323Z ERROR fdo_client_linuxapp              > Error performing TO2 ownership protocol
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]: Caused by:
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:     Error performing the ServiceInfo roundtrips with TO2 address http://192.168.1.49:8081
Feb 12 09:26:14 localhost.localdomain fdo-client-linuxapp[1218]:  2024-02-12T09:26:14.323Z INFO  fdo_client_linuxapp              > Performing TO2 protocol, URL: "http://10.45.226.7:8081"

@7flying
Copy link
Contributor

7flying commented Feb 12, 2024

Added BZ in Fedora's selinux-policies: https://bugzilla.redhat.com/show_bug.cgi?id=2263852

@7flying
Copy link
Contributor

7flying commented Feb 12, 2024

@yih-redhat in your simplified-installer the fdo-client version is
[simple@localhost ~]$ rpm -qa | grep fdo
fdo-client-0.4.12-4.fc39.x86_64
fdo-owner-cli-0.4.12-4.fc39.x86_64

not fdo-client-0.4.12-6

the issue is not present in 0.4.12-6

@nullr0ute
Copy link
Contributor

the issue is not present in 0.4.12-6

Are we sure? The difference between -4 and -6 builds was updated crate dependencies for CVEs. If the problem goes away it might mean a bug was fixed in a crate somewhere by luck but I would be surprised if that was the case.

@7flying
Copy link
Contributor

7flying commented Feb 12, 2024

the issue is not present in 0.4.12-6

Are we sure? The difference between -4 and -6 builds was updated crate dependencies for CVEs. If the problem goes away it might mean a bug was fixed in a crate somewhere by luck but I would be surprised if that was the case.

Yes, I can confirm that the problem is not present in 0.4.12-6. BUT, the root problem is that this bug report does not have the latest RPMS:
Yi's iot-simplified-installer has:

$ rpm -qa | grep selinux-policy
selinux-policy-38.28-1.fc39.noarch
selinux-policy-targeted-38.28-1.fc39.noarch

$ rpm -qa | grep fdo
fdo-client-0.4.12-4.fc39.x86_64
fdo-owner-cli-0.4.12-4.fc39.x86_64

and I've built everything with latest:

[admin@localhost ~]$ rpm -qa | grep selinux-policy
selinux-policy-39.3-1.fc39.noarch
selinux-policy-targeted-39.3-1.fc39.noarch

[admin@localhost ~]$ rpm -qa | grep fdo
fdo-client-0.4.12-6.fc39.x86_64
fdo-owner-cli-0.4.12-6.fc39.x86_64

where the error is not present:

Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.144Z INFO  fdo_client_linuxapp > Got TO2 addresses: ["http://192.168.1.49:8081", "http://10.45.226.7:8081", "http://fe80::67bb:6b28:931f:f36e:8081", "http://2620:52:0:2de0::1206:8081", "http://fe80::8a46:e9f0:8599:84d9:8081"]
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.144Z INFO  fdo_client_linuxapp > Performing TO2 protocol, URL: "http://192.168.1.49:8081"
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.177Z INFO  fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.813Z INFO  fdo_client_linuxapp              > Secure Device Onboarding DONE
Feb 12 13:43:04 localhost.localdomain fdo-client-linuxapp[1240]:  2024-02-12T13:43:04.813Z INFO  fdo_client_linuxapp              > Reboot required? false
Feb 12 13:43:04 localhost.localdomain systemd[1]: fdo-client-linuxapp.service: Deactivated successfully.
Feb 12 13:43:04 localhost.localdomain systemd[1]: Finished fdo-client-linuxapp.service - FDO client.
^C
bash-5.2# cryptsetup luksDump /dev/vda3
LUKS header information
Version:       	2
Epoch:         	13
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	91f04dd7-6325-4499-a86f-667c7a9eabcb
Label:         	crypt_root
Subsystem:     	(no subsystem)
Flags:       	(no flags)
Requirements:	online-reencrypt-v2 

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: cipher_null-ecb
	sector: 512 [bytes]

  1: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: cipher_null-ecb
	sector: 512 [bytes]
	flags : backup-previous

  2: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]
	flags : backup-final

Keyslots:
  0: luks2
	Key:        256 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      pbkdf2
	Hash:       sha256
	Iterations: 1000
	Salt:       e3 53 3f 16 fc d3 eb c7 26 1f bb de e5 68 a0 c6 
	            d0 b7 22 86 9f 87 4c 48 d9 f2 a8 04 66 26 d7 25 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:131072 [bytes]
	Digest ID:  0
  1: luks2 (unbound)
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      pbkdf2
	Hash:       sha256
	Iterations: 1000
	Salt:       5d 3e 85 9b 55 b9 00 f0 c9 a1 d9 6c 5d 74 ca 5a 
	            1a 35 c7 d4 36 01 2b 29 9a ff 76 30 21 22 a1 4e 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:163840 [bytes]
	Area length:258048 [bytes]
	Digest ID:  1
  2: reencrypt (unbound)
	Key:        8 bits
	Priority:   ignored
	Mode:       reencrypt
	Direction:  forward
	Resilience: checksum
	Hash:       sha256
	Hash data:  512 [bytes]
	Area offset:421888 [bytes]
	Area length:16355328 [bytes]
	Digest ID:  2
Tokens:
  1: clevis
	Keyslot:    0
	Keyslot:    1
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 1000
	Salt:       8b 95 47 9e fd ca 84 18 29 c8 df 4c 2a 5a d6 dd 
	            75 53 8c 58 b6 f4 e1 60 72 c6 5c d8 b0 f2 0b b0 
	Digest:     fa 80 04 62 86 d6 15 25 f1 c0 2a ae c3 11 13 ec 
	            e9 7c 38 a1 64 87 12 90 ac 1e 6a c3 a1 66 c3 cb 
  1: pbkdf2
	Hash:       sha256
	Iterations: 1000
	Salt:       89 79 cd 7f 94 4f 05 89 72 bf 03 0b 84 18 b1 9c 
	            34 f9 a9 82 26 12 b3 2c 6c 50 69 0f 8c 9c fb 1a 
	Digest:     11 a4 63 5d d9 40 5f 05 47 77 03 a6 b6 6d 03 1f 
	            2f 57 40 1b 1c c6 93 54 7d 92 ff 82 6e da 94 48 
  2: pbkdf2
	Hash:       sha256
	Iterations: 1000
	Salt:       61 25 49 bb 07 50 08 ec 68 f8 36 b9 c1 75 81 dc 
	            2c 18 07 17 d8 01 ac 9c f5 78 a6 d2 0c 1f f1 26 
	Digest:     c9 1b 21 7c eb d3 75 8f 2c b7 12 c8 36 27 c2 4b 
	            f6 e3 76 2e 14 48 96 19 bd 81 24 ac b8 ac 64 ac 
bash-5.2#

So, the error is just present with this combo:

$ rpm -qa | grep selinux-policy
selinux-policy-38.28-1.fc39.noarch
selinux-policy-targeted-38.28-1.fc39.noarch

$ rpm -qa | grep fdo
fdo-client-0.4.12-4.fc39.x86_64
fdo-owner-cli-0.4.12-4.fc39.x86_64

@7flying
Copy link
Contributor

7flying commented Feb 12, 2024
edited
Loading

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

@nullr0ute
Copy link
Contributor

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

@7flying
Copy link
Contributor

7flying commented Feb 12, 2024

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

but, do we need a fix for an older revision when there is already a fix for the latest version?

@nullr0ute
Copy link
Contributor

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

but, do we need a fix for an older revision when there is already a fix for the latest version?

No, the fix is to upgrade the selinux-policy

@7flying
Copy link
Contributor

7flying commented Feb 12, 2024

@nullr0ute , so since we are OK in the latest RPMs I think that I should close the Fedora BZ.

So I believe the fix is in selinux-policy not FDO which would make more sense if it's selinux.

but, do we need a fix for an older revision when there is already a fix for the latest version?

No, the fix is to upgrade the selinux-policy

My point is that there also an upgraded selinux-policy that works.

@7flying
Copy link
Contributor

7flying commented Feb 13, 2024

closing this issue as the issue cannot be reproduced with the latest packages.

@7flying 7flying closed this as not planned Won't fix, can't repro, duplicate, stale Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@7flying 7flying

Labels
bug Something isn't working jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nullr0ute @7flying @yih-redhat