Bug 1784079
| Summary: | clevis-dracut always enables the network, which is erroneous when TPM2 is used | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | ||||
| Component: | clevis | Assignee: | Sergio Correia <scorreia> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 8.1 | CC: | dapospis | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 8.0 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-12-17 07:22:02 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Example of script usage: LUKSv1: # clevis-show-method.sh /dev/mapper/rhel-00 tang LUKSv2: # clevis-show-method.sh /dev/sda3 tpm2 Of course TPM2 and Tang may be used for the same LUKS device. As soon as "tang" is found, network needs to be activated. Note: assuming this is implemented, I would recommend the network to be always set up in the initramfs *even* in case "Tang" is not used for the root volumes, otherwise BZ #1784084's proposed solution wouldn't work. (In reply to Renaud Métrich from comment #0) > Created attachment 1645628 [details] > Script printing the methods used for unlocking for a given LUKS device > > Description of problem: > > Installing clevis-dracut enables unconditionally the network in the > initramfs through creating "/etc/cmdline.d/99-clevis.conf" file. > In fact, this is not necessary (and not wished at all) when TPM2 is used to > unlock the devices. > This is particularly an issue when static IP configuration is used, which > then needs to be explicitly added to the dracut configuration. > > I believe the 99-clevis module must be enhanced to check the LUKS slots if a > method requiring the network is used (e.g. Tang) and activate the network > only in this case. > We are doing something like this in https://bugzilla.redhat.com/show_bug.cgi?id=1762028 and adding rd.neednet=1 only when we detect a device bound to tang. (In reply to Renaud Métrich from comment #1) > Example of script usage: > > LUKSv1: > > # clevis-show-method.sh /dev/mapper/rhel-00 > tang > > LUKSv2: > > # clevis-show-method.sh /dev/sda3 > tpm2 > > Of course TPM2 and Tang may be used for the same LUKS device. > As soon as "tang" is found, network needs to be activated. By the way, we are also adding a "clevis luks list" sub-command in https://bugzilla.redhat.com/show_bug.cgi?id=1766526, and it is useful for listing the pin + configuration in a device/slot. This is what we used in https://bugzilla.redhat.com/show_bug.cgi?id=1762028 Sorry, I missed this BZ. Closing as a DUP. *** This bug has been marked as a duplicate of bug 1762028 *** |
Created attachment 1645628 [details] Script printing the methods used for unlocking for a given LUKS device Description of problem: Installing clevis-dracut enables unconditionally the network in the initramfs through creating "/etc/cmdline.d/99-clevis.conf" file. In fact, this is not necessary (and not wished at all) when TPM2 is used to unlock the devices. This is particularly an issue when static IP configuration is used, which then needs to be explicitly added to the dracut configuration. I believe the 99-clevis module must be enhanced to check the LUKS slots if a method requiring the network is used (e.g. Tang) and activate the network only in this case. This can be done by using a script checking for the unlock method, as proposed in the attachment. Version-Release number of selected component (if applicable): clevis*-11-2.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Install clevis-dracut Actual results: Network is enabled early during boot