Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yubikey - luks-seal pcscd complaints #162

Open
sourceXORapprentice opened this issue Nov 11, 2021 · 0 comments
Open

Yubikey - luks-seal pcscd complaints #162

sourceXORapprentice opened this issue Nov 11, 2021 · 0 comments

Comments

@sourceXORapprentice
Copy link

After doing a clean run through, I cannot seem to get past a Yubikey initialization issue on Ubuntu 20.04.3, see below.
Running sudo systemctl restart pcscd prior to luks-seal results in the complaints disappearing. However, they reappear on boot and unseal fails.

Example:

$ sudo safeboot luks-seal
New unsealing PIN: 
Unsealing PIN again: 
Using placeholder TPM counter version
Sealing secret with TPM, storing sealed secret in 0x1500010
persistent-handle: 0x81110000
action: evicted
persistent-handle: 0x81110000
action: persisted
/dev/nvme0n1p3: Current recovery password: 
Removing old LUKS TPM key (if it exists)
Adding new LUKS TPM key
/dev/nvme0n1p3: sealed with PCR 0,2,4,5,7,14
-------- Need to sign PCR and counter values --------
Starting PCSCD for yubikey support
00000000 [140487869220800] utils.c:81:GetDaemonPid() Can't open /run/pcscd/pcscd.pid: No such file or directory
WARN: Reading full size of the NV index
00005040 [140487869220800] ifdhandler.c:150:CreateChannelByNameOrChannel() failed
00000009 [140487869220800] readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/001/002)
00000004 [140487869220800] readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
00002802 [140487869220800] ifdhandler.c:150:CreateChannelByNameOrChannel() failed
00000007 [140487869220800] readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/001/002)
00000005 [140487869220800] readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
/boot/efi/EFI/linux/linux.efi: TPM version 0000000000000010
  sha256:
    0 : 0x9977A8F1C55C8F84D90BF957DE2CA0273544EEDC0588AA8F65AF5DB3D21D5AD0
    2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0xC21340E5EC0F58AF9BD0D8B75653016E15128DB9CFFDEE443DEF7D2A08D19737
    5 : 0xD81D958F078A2896CFCB3A823752AB152885EC7B5CEA9507C8451536C8AE699D
    7 : 0xFFB56EA74186154E4434AC1A1DBEB3A5E93461FC33B9D63C2F23FEBA6219B652
warning: data remaining[109475816 vs 109485432]: gaps between PE/COFF sections?
PCR2: ignoring BootMenu entries
/boot/efi/EFI/linux/linux.efi: PE hash 01daabb7487e2e8a5ffa336faac97edd0a4b93a238a5cc8fb85be19d0aca4e79
PCR4 1109cfd4f16834aa0bc96fe80fc2cd803b134f02bf403bf2ac1e804268cc38d1
mode=linux PCR14=4cc49932dc91c7021e5cfee8231a5f2da3ac1de6df7a7aeff333cc8dfd230f28
final PCRs:
9977a8f1c55c8f84d90bf957de2ca0273544eedc0588aa8f65af5db3d21d5ad0
3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
1109cfd4f16834aa0bc96fe80fc2cd803b134f02bf403bf2ac1e804268cc38d1
d81d958f078a2896cfcb3a823752ab152885ec7b5cea9507c8451536c8ae699d
ffb56ea74186154e4434ac1a1dbeb3a5e93461fc33b9d63c2f23feba6219b652
4cc49932dc91c7021e5cfee8231a5f2da3ac1de6df7a7aeff333cc8dfd230f28
Using TPM counter 0000000000000010
engine "pkcs11" set.
Enter PKCS#11 token PIN for castle:
Enter PKCS#11 key PIN for SIGN key:
/sys/firmware/efi/efivars/SafebootPCR-8620893e-c793-457e-8a02-41fc83eef3ce: writing new value
/tmp/tmp.OxvuOyeKIQ: Unmounting

Booting this on recovery results in:

00000000 [139785720018880] ifdhandler.c:150:CreateChannelByNameOrChannel() failed
00000046 [139785720018880] readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/001/002)
00000008 [139785720018880] readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
00002868 [139785720018880] ifdhandler.c:150:CreateChannelByNameOrChannel() failed
00000009 [139785720018880] readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/001/002)
00000005 [139785720018880] readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed.
  Volume group "ubuntu-vg" not found
  Cannot process volume group ubuntu-vg
TPM mode=linux pcrs=0,2,4,5,7 14
  sha256:
    0 : 0x9977A8F1C55C8F84D90BF957DE2CA0273544EEDC0588AA8F65AF5DB3D21D5AD0
    1 : 0x212AE774AC787B4D5E2DD7D5B744DD9909F8F80B9504BF0F37CF951006622FBD
    2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0x1109CFD4F16834AA0BC96FE80FC2CD803B134F02BF403BF2AC1E804268CC38D1
    5 : 0xD81D958F078A2896CFCB3A823752AB152885EC7B5CEA9507C8451536C8AE699D
    6 : 0x54D288E1A219FBE5F8239CBD879FD381305923ED1C83ABD6BB4850B797222F7E
    7 : 0xFFB56EA74186154E4434AC1A1DBEB3A5E93461FC33B9D63C2F23FEBA6219B652
    8 : 0x0000000000000000000000000000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000000000000000000000000000
    10: 0xCD1DCACFCF4935E7D74ADEBCB88C0F7DE543796FA3C56237788CDA1759CF56E5
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
WARN: Reading full size of the NV index
Using TPM counter 0000000000000011
WARNING:esys:../../tpm2-tss/src/tss2-esys/api/Esys_VerifySignature.c:302:Esys_VerifySignature_Finish() Received TPM Error 
ERROR:esys:../../tpm2-tss/src/tss2-esys/api/Esys_VerifySignature.c:103:Esys_VerifySignature() Esys Finish ErrorCode (0x000002db) 
ERROR: Esys_VerifySignature(0x2DB) - tpm:parameter(2):the signature is not valid
ERROR: Verify signature failed!
ERROR: Unable to run verifysignature
Unable to verify PCR signature
Nothing to read on input.
TPM mode=linux pcrs=0,2,4,5,7 14
  sha256:
    0 : 0x9977A8F1C55C8F84D90BF957DE2CA0273544EEDC0588AA8F65AF5DB3D21D5AD0
    1 : 0x212AE774AC787B4D5E2DD7D5B744DD9909F8F80B9504BF0F37CF951006622FBD
    2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0x1109CFD4F16834AA0BC96FE80FC2CD803B134F02BF403BF2AC1E804268CC38D1
    5 : 0xD81D958F078A2896CFCB3A823752AB152885EC7B5CEA9507C8451536C8AE699D
    6 : 0x54D288E1A219FBE5F8239CBD879FD381305923ED1C83ABD6BB4850B797222F7E
    7 : 0xFFB56EA74186154E4434AC1A1DBEB3A5E93461FC33B9D63C2F23FEBA6219B652
    8 : 0x0000000000000000000000000000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000000000000000000000000000
    10: 0xCD1DCACFCF4935E7D74ADEBCB88C0F7DE543796FA3C56237788CDA1759CF56E5
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0xF288272B5A7B99582CDEB3F756421A91A19828DE691511DCAB2D839AD28FF981
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
Falling back to user pass phrase
WARNING:esys:../../tpm2-tss/src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error 
ERROR:esys:../../tpm2-tss/src/tss2-esys/esys_tr.c:210:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b) 
ERROR:esys:../../tpm2-tss/src/tss2-esys/esys_tr.c:321:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b) 
ERROR in tpm2totp_loadKey_nv (/home/castle/safeboot/tpm2-totp/src/libtpm2-totp.c:639): 0x0000018b

ERROR in main (/home/castle/safeboot/tpm2-totp/src/tpm2-totp.c:441): 0x0000018b
No key available with this passphrase.
TPM mode=linux pcrs=0,2,4,5,7 14
  sha256:
    0 : 0x9977A8F1C55C8F84D90BF957DE2CA0273544EEDC0588AA8F65AF5DB3D21D5AD0
    1 : 0x212AE774AC787B4D5E2DD7D5B744DD9909F8F80B9504BF0F37CF951006622FBD
    2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0x1109CFD4F16834AA0BC96FE80FC2CD803B134F02BF403BF2AC1E804268CC38D1
    5 : 0xD81D958F078A2896CFCB3A823752AB152885EC7B5CEA9507C8451536C8AE699D
    6 : 0x54D288E1A219FBE5F8239CBD879FD381305923ED1C83ABD6BB4850B797222F7E
    7 : 0xFFB56EA74186154E4434AC1A1DBEB3A5E93461FC33B9D63C2F23FEBA6219B652
    8 : 0x0000000000000000000000000000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000000000000000000000000000
    10: 0xCD1DCACFCF4935E7D74ADEBCB88C0F7DE543796FA3C56237788CDA1759CF56E5
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0xF288272B5A7B99582CDEB3F756421A91A19828DE691511DCAB2D839AD28FF981
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
Falling back to user pass phrase
WARNING:esys:../../tpm2-tss/src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error 
ERROR:esys:../../tpm2-tss/src/tss2-esys/esys_tr.c:210:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b) 
ERROR:esys:../../tpm2-tss/src/tss2-esys/esys_tr.c:321:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b) 
ERROR in tpm2totp_loadKey_nv (/home/castle/safeboot/tpm2-totp/src/libtpm2-totp.c:639): 0x0000018b

ERROR in main (/home/castle/safeboot/tpm2-totp/src/tpm2-totp.c:441): 0x0000018b
/dev/mapper/ubuntu--vg-ubuntu--lv: clean, 113961/3858432 files, 2150577/15430656 blocks

I'm also unclear why tpm2-totp would reference back to the home directory (/home/castle/safeboot/tpm2-totp/src/tpm2-totp.c:441): 0x0000018b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant