Bug 1676898 - luksmeta does not work properly
Summary: luksmeta does not work properly
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: luksmeta
Version: 29
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Daniel Kopeček
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-13 14:31 UTC by Dahlhoff
Modified: 2019-03-26 13:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-26 13:07:27 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dahlhoff 2019-02-13 14:31:59 UTC 
Description of problem:
Luksmeta is not able to properly clear slots. Also nuke and init do not work as they should.

Version-Release number of selected component (if applicable):
Name         : luksmeta
Version      : 9
Release      : 2.fc29
Arch         : x86_64


How reproducible:
With the following command. Example is a LUKS encrypted USB SSD on /dev/sdb with LUKS v1 partition /dev/sdb1

Steps to Reproduce:

PART 1/2

1.
# luksmeta show -d /dev/sdb1
0   active empty
1   active empty
2   active empty
3   active empty
4   active cb6e8904-81ff-XXXX-a84a-XXXXXXXXXXXX
5 inactive cb6e8904-81ff-XXXX-a84a-XXXXXXXXXXXX
6 inactive empty
7 inactive empty


2.
# luksmeta nuke -d /dev/sdb1
You are about to erase all data in the LUKSMeta storage area.
A backup is advised before erasure is performed.

Do you wish to nuke /dev/sdb1? [yn] y

3. 
#  luksmeta init -d /dev/sdb1
You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.

Do you wish to initialize /dev/sdb1? [yn] y

4.
# luksmeta show -d /dev/sdb1
0   active empty  <<-- Slots are still active 
1   active empty  <<-- and cannot be reused, see part 2
2   active empty
3   active empty
4   active empty
5 inactive empty
6 inactive empty
7 inactive empty


PART 2/2:

5.
# luksmeta show -d /dev/sdb1
0   active empty
1   active empty
2   active empty
3   active empty
4   active empty
5 inactive empty
6 inactive empty
7 inactive empty

6.
# luksmeta wipe -d /dev/sdb1 -s 0
You are about to wipe a slot. This operation is unrecoverable.
A backup is advised before proceeding.

Do you wish to erase slot 0 on /dev/sdb1? [yn] y

7.
# clevis luks bind -d /dev/sdb1 -s 0 tpm2 '{"pcr_ids":"7"}'
Enter existing LUKS password: 
Schlüsselfach 0 ist voll, bitte wählen Sie ein anderes. <<-- (translation: Slot 0 is full, please choose another one.)
Error while adding new key to LUKS header!

Actual results:

luksmeta nuke does not properly overwrite the header gap.
luksmeta wipe does not clear the slot
luksmeta show shows wrong information (if the output from clevis-luks-bind is right)
There is not option to deactivate a slot, maybe this should be done by the wipe command?

Expected results:

luksmeta nuke should properly erase the LUKS header
luksmeta wipe should wipe and deactivate the slot

Additional info:

cf. Bug number 1672371
Comment 1 Nathaniel McCallum 2019-03-26 13:07:27 UTC 
luksmeta *never* changes whether or not there is an active LUKS slot. Doing so is a layering violation. The commands are working as designed. Please use cryptsetup to remove LUKS slots.

From the documetation: "Although the luksmeta slots are inspired by the LUKS slots, they are functionally independent and share only a casual relationship. Slots merely provide a hint that a given chunk of metadata is associated with a specific LUKSv1 password (in a slot with the same number)."
Note You need to log in before you can comment on or make changes to this bug.