Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[10.4 stable] Do not fail SealDiskKey if PCRs/eventlog can not be saved #3486

Merged
merged 1 commit into from
Oct 10, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pkg/pillar/cmd/vaultmgr/vaultmgr.go
Original file line number Diff line number Diff line change
Expand Up @@ -418,7 +418,7 @@ func handleVaultKeyFromControllerImpl(ctxArg interface{}, key string,
}
// Try unlocking the vault now, in case it is not yet unlocked
log.Noticef("Vault is still locked, trying to unlock")
err = etpm.SealDiskKey(decryptedKey, etpm.DiskKeySealingPCRs)
err = etpm.SealDiskKey(log, decryptedKey, etpm.DiskKeySealingPCRs)
if err != nil {
log.Errorf("Failed to Seal key in TPM %v", err)
return
Expand Down
14 changes: 7 additions & 7 deletions pkg/pillar/evetpm/tpm.go
Original file line number Diff line number Diff line change
Expand Up @@ -518,7 +518,7 @@ func FetchSealedVaultKey(log *base.LogObject) ([]byte, error) {
if err != nil {
return nil, fmt.Errorf("GetRandom failed: %w", err)
}
err = SealDiskKey(key, DiskKeySealingPCRs)
err = SealDiskKey(log, key, DiskKeySealingPCRs)
if err != nil {
return nil, fmt.Errorf("sealing the fresh disk key failed: %w", err)
}
Expand All @@ -545,7 +545,7 @@ func FetchSealedVaultKey(log *base.LogObject) ([]byte, error) {

log.Noticef("try to convert the legacy key into a sealed key")

err = SealDiskKey(key, DiskKeySealingPCRs)
err = SealDiskKey(log, key, DiskKeySealingPCRs)
if err != nil {
return nil, fmt.Errorf("sealing the legacy disk key into TPM failed: %w", err)
}
Expand All @@ -566,7 +566,7 @@ func FetchSealedVaultKey(log *base.LogObject) ([]byte, error) {
}

// SealDiskKey seals key into TPM2.0, with provided PCRs
func SealDiskKey(key []byte, pcrSel tpm2.PCRSelection) error {
func SealDiskKey(log *base.LogObject, key []byte, pcrSel tpm2.PCRSelection) error {
rw, err := tpm2.OpenTPM(TpmDevicePath)
if err != nil {
return err
Expand Down Expand Up @@ -644,7 +644,7 @@ func SealDiskKey(key []byte, pcrSel tpm2.PCRSelection) error {

// save a snapshot of current PCR values
if err := saveDiskKeySealingPCRs(savedSealingPcrsFile); err != nil {
return fmt.Errorf("saving snapshot of sealing PCRs failed: %w", err)
log.Warnf("saving snapshot of sealing PCRs failed: %s", err)
}

// Backup the previous pair of logs if any, so at most we have two pairs of
Expand All @@ -654,17 +654,17 @@ func SealDiskKey(key []byte, pcrSel tpm2.PCRSelection) error {
// current measurement log (which is same as the content of MeasurementLogSealFail)
// and lose the ability to diff and diagnose the issue.
if err := backupCopiedMeasurementLogs(); err != nil {
return fmt.Errorf("collecting previous snapshot of TPM event log failed: %w", err)
log.Warnf("collecting previous snapshot of TPM event log failed: %s", err)
}

// fresh start, remove old copies of measurement logs.
if err := removeCopiedMeasurementLogs(); err != nil {
return fmt.Errorf("removing old copies of TPM measurement log failed: %w", err)
log.Warnf("removing old copies of TPM measurement log failed: %s", err)
}

// save a copy of the current measurement log
if err := copyMeasurementLog(measurementLogSealSuccess); err != nil {
return fmt.Errorf("copying current TPM measurement log failed: %w", err)
log.Warnf("copying current TPM measurement log failed: %s", err)
}

return nil
Expand Down
12 changes: 8 additions & 4 deletions pkg/pillar/evetpm/tpm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,17 +15,21 @@ import (

"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
"github.com/lf-edge/eve/pkg/pillar/base"
fileutils "github.com/lf-edge/eve/pkg/pillar/utils/file"
"github.com/sirupsen/logrus"
)

var log = base.NewSourceLogObject(logrus.StandardLogger(), "test", 1234)

func TestSealUnseal(t *testing.T) {
_, err := os.Stat(TpmDevicePath)
if err != nil {
t.Skip("TPM is not available, skipping the test.")
}

dataToSeal := []byte("secret")
if err := SealDiskKey(dataToSeal, DiskKeySealingPCRs); err != nil {
if err := SealDiskKey(log, dataToSeal, DiskKeySealingPCRs); err != nil {
t.Errorf("Seal operation failed with err: %v", err)
return
}
Expand Down Expand Up @@ -53,7 +57,7 @@ func TestSealUnsealMismatchReport(t *testing.T) {
defer rw.Close()

dataToSeal := []byte("secret")
if err := SealDiskKey(dataToSeal, DiskKeySealingPCRs); err != nil {
if err := SealDiskKey(log, dataToSeal, DiskKeySealingPCRs); err != nil {
t.Errorf("Seal operation failed with err: %v", err)
return
}
Expand Down Expand Up @@ -94,7 +98,7 @@ func TestSealUnsealTpmEventLogCollect(t *testing.T) {

// this should write the save the first event log
dataToSeal := []byte("secret")
if err := SealDiskKey(dataToSeal, DiskKeySealingPCRs); err != nil {
if err := SealDiskKey(log, dataToSeal, DiskKeySealingPCRs); err != nil {
t.Errorf("Seal operation failed with err: %v", err)
return
}
Expand Down Expand Up @@ -126,7 +130,7 @@ func TestSealUnsealTpmEventLogCollect(t *testing.T) {
}

// this should trigger collecting previous tpm event logs
if err := SealDiskKey(dataToSeal, DiskKeySealingPCRs); err != nil {
if err := SealDiskKey(log, dataToSeal, DiskKeySealingPCRs); err != nil {
t.Errorf("Seal operation failed with err: %v", err)
return
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/pillar/vault/handler_zfs.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,8 @@ func (h *ZFSHandler) SetupDefaultVault() error {
return fmt.Errorf("error in setting up ZFS vault %s:%v", types.SealedDataset, err)
}
// Log the type of key used for unlocking default vault
h.log.Noticef("default zfs vault unlocked")
h.log.Noticef("default zfs vault unlocked using key type: %s",
etpm.CompareLegacyandSealedKey().String())
return nil
}

Expand Down
Loading