Skip to content

systemd: Fix systemd-{cryptenroll,cryptsetup} TPM2 and FIDO2 support#179823

Closed
Kranzes wants to merge 2 commits intoNixOS:stagingfrom
Kranzes:systemd-crypt
Closed

systemd: Fix systemd-{cryptenroll,cryptsetup} TPM2 and FIDO2 support#179823
Kranzes wants to merge 2 commits intoNixOS:stagingfrom
Kranzes:systemd-crypt

Conversation

@Kranzes
Copy link
Member

@Kranzes Kranzes commented Jul 1, 2022
edited
Loading

Description of changes

With this change it is now possible to decrypt LUKs protected partitions with a FIDO2 or TPM2 token.

Reviving #171242

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@Kranzes Kranzes requested a review from a team as a code owner July 1, 2022 17:05
@github-actions github-actions bot added the 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. label Jul 1, 2022
@Kranzes Kranzes requested a review from dasJ July 1, 2022 17:06
@ofborg ofborg bot requested review from Mic92, flokli and kloenk July 1, 2022 17:55
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Jul 1, 2022
Mic92
Mic92 reviewed Jul 2, 2022
View reviewed changes
Mic92
Mic92 reviewed Jul 2, 2022
View reviewed changes
Mic92
Mic92 reviewed Jul 2, 2022
View reviewed changes
@Kranzes @Mic92
systemd: Wrap in LUKS2 tokens
9b3eb99 
Update pkgs/os-specific/linux/systemd/default.nix

Co-authored-by: Jörg Thalheim <[email protected]>
@Kranzes Kranzes requested a review from Mic92 July 16, 2022 12:25
@zhaofengli zhaofengli mentioned this pull request Aug 1, 2022
Merged
13 tasks
zhaofengli
zhaofengli suggested changes Aug 1, 2022
View reviewed changes
Copy link
Member

@zhaofengli zhaofengli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried this with FIDO2, and the following changes are required:

  1. Since #167167, files in ${cfg.package}/lib are only selectively copied. This means lib/systemd/.systemd-cryptsetup-wrapped doesn't exist and [email protected] simply crashes with 255/EXCEPTION.
  2. The above problem also means that lib/cryptsetup/libcryptsetup-token-systemd-{tpm2,fido2}.so do not exist in initrd, causing immediate fallback to password.
  3. A missing dependency means that FIDO2 support is not actually added into systemdStage1: #184510.
  4. libfido2 needs to be added to the initrd as well, otherwise the unlocking process will simply crash with FIDO2 support is not installed.

I don't have enough compute to actually rebuild the world, so I used the following config to replicate the PR:

{ pkgs, lib, ... }:
let
  cryptsetup' = pkgs.cryptsetup.overrideAttrs (old: {
    patches = (old.patches or []) ++ [
      ./relative-token-path.patch
    ];
  });

  # https://github.com/NixOS/nixpkgs/pull/184510
  libfido2' = pkgs.libfido2.overrideAttrs (old: {
    propagatedBuildInputs = (old.propagatedBuildInputs or []) ++ [
      pkgs.openssl
    ];
  });

  patchSystemd = systemd: (systemd.override {
    cryptsetup = cryptsetup';
    libfido2 = libfido2';
  }).overrideAttrs (old: {
    nativeBuildInputs = (old.nativeBuildInputs or []) ++ [
      pkgs.makeBinaryWrapper
    ];

    postFixup = (old.postFixup or "") + ''
      for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
        # This needs to be in LD_LIBRARY_PATH because rpath on a binary is not propagated to libraries using dlopen, in this case `libcryptsetup.so`
        wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
      done
    '';
  });

  systemdStage1' = patchSystemd pkgs.systemdStage1;
in {
  boot.initrd.systemd = {
    enable = true;
    package = systemdStage1';
    emergencyAccess = true;
    initrdBin = with pkgs; [ gnugrep cryptsetup strace ]; # for debugging only

    storePaths = [
      # FIXME: Add to PR in a clean way
      "${systemdStage1'}/lib/systemd/.systemd-cryptsetup-wrapped"
      "${systemdStage1'}/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so"
      "${systemdStage1'}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"
      libfido2'
    ];
  };
}

FIDO2 unlocking works with the above changes, and I haven't tested TPM2.

@jmbaur jmbaur mentioned this pull request Aug 1, 2022
Closed
13 tasks
@eaglesemanation
Copy link

eaglesemanation commented Aug 28, 2022

Is there anything that could be done to speed up merge of this PR? It's the only thing that keeps me from installing NixOS on my laptop, and I would be glad to help with anything

@Kranzes
Copy link
Member Author

Kranzes commented Aug 28, 2022
edited
Loading

Is there anything that could be done to speed up merge of this PR? It's the only thing that keeps me from installing NixOS on my laptop, and I would be glad to help with anything

What needs to be done are:

  1. Figure out the exact patches and changes needed
  2. Make sure that they are actually secure
  3. Create a NixOS VM test

@zhaofengli Do you mind further helping with this PR?

@zhaofengli
Copy link
Member

zhaofengli commented Sep 3, 2022

I'll test out TPM2 and see how we can make those changes cleanly over the weekend.

@zhaofengli zhaofengli mentioned this pull request Sep 4, 2022
Merged
13 tasks
@zhaofengli
Copy link
Member

zhaofengli commented Sep 4, 2022

I opened #189676 with the required changes and instructions to test.

@oxalica
Copy link
Contributor

oxalica commented Oct 14, 2022

Superseded by #189676

@oxalica oxalica closed this Oct 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dasJ dasJ Awaiting requested review from dasJ

@kloenk kloenk Awaiting requested review from kloenk

@flokli flokli Awaiting requested review from flokli

@Mic92 Mic92 Awaiting requested review from Mic92

2 more reviewers

@catap catap catap left review comments

@zhaofengli zhaofengli zhaofengli requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@Kranzes @eaglesemanation @zhaofengli @oxalica @catap @Mic92 @flokli @dasJ