RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1808980 - [RFE] Add support for BitLocker encrypted disks with network unlock
Summary: [RFE] Add support for BitLocker encrypted disks with network unlock
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libguestfs
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Virtualization Maintenance
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-02 07:43 UTC by Fabien Dupont
Modified: 2022-05-27 08:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-27 08:09:14 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)

Description Fabien Dupont 2020-03-02 07:43:59 UTC 
Description of problem:
Among customers using Windows Server with BitLocker encryption, some use Network Unlock [1]. It would be great to have support for BitLocker Network Unlock in libguestfs.

A possible implementation would be to have a new set of options for Network Block Device Encryption (NBDE) mechanisms, i.e. Clevis & Tang for Linux and BitLocker Network Unlock for Windows.

[1] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock
Comment 2 Richard W.M. Jones 2020-06-01 12:35:37 UTC 
I believe this bug is a duplicate of bug 1808977.
Comment 3 Richard W.M. Jones 2020-06-01 12:36:57 UTC 
(In reply to Richard W.M. Jones from comment #2)
> I believe this bug is a duplicate of bug 1808977.

Sorry ignore that, it's not quite a duplicate because this is about
using Windows to network unlock the guest.  I believe this is basically
impossible unless someone comes up with a Linux client for this
Windows service, but we can leave this open ...
Comment 8 RHEL Program Management 2021-09-02 07:27:04 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 9 Richard W.M. Jones 2021-09-02 08:05:05 UTC 
My apologies, this bug was closed in error by a process we do not
have any control over.  Reopening.
Comment 10 Laszlo Ersek 2022-05-27 08:09:14 UTC 
(In reply to Richard W.M. Jones from comment #3)

> I believe this is basically
> impossible unless someone comes up with a Linux client for this
> Windows service, but we can leave this open ...

It's unnecessary to leave this open; honestly.

I've read the high-level description of the feature at <https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock>.

Please refer to the diagram entitled "Bitlock Network Unlock process" there. Based on that, this is what libguestfs would have to do:

- Step#1: detect a Network Unlock protector in the BitLocker configuration. Currently done by Windows' UEFI boot manager, which is not open source. How a "Network Unlock protector in the BitLocker configuration" is represented is also not public -- note that this happens *before* disk decryption, so this is either represented on-disk in some tricky way, or even in a non-volatile UEFI variable.

- Step#3: send a vendor-specific DHCP request to the WDS server. The internals of this DHCP request are not documented.

- Step#6: parse the vendor-specific DHCP response form the WDS server. The internals of this response are not documented.

- Step#7: this step is actually what kills the idea *by design*. Namely, for unlocking the disk, the intermediate key parsed from the WDS response needs to be combined with *TPM state* (aka it needs to be "decrypted by the TPM"). Steps 1 through 6 in the protocol do not protect the disk from an attacker that physically steals (or copies) the disk, and then impersonates the original computer, talking to the DHCP and WDS servers. Step#7 is what prevents this impersonation attack: the disk encryption key is a derivative of both the WDS answer *and* the TPM state. And the TPM state on the original client computer encompasses basically the hardware configuration, the whole boot path, and so on. In this scenario, libguestfs is supposed to impersonate the original computer, but the TPM dependency, that is, step#7, is *specifically designed* by Microsoft to prevent that. Decrypting such a disk would only be possible *even in theory* if Microsoft were willing to expose an API for fetching secrets from their vTPM -- which they will obviously never do, as it would immediately undermine all their vTPM-based cloud security technologies, and become a fat target for attackers. Regarding virt-p2v in turn, the TPM in question would be a physical TPM (not a vTPM implemented by host-side software), which (again) is specifically designed and manufactured to prevent this kind of impersonation.

I'm closing this now as CANTFIX.
Note You need to log in before you can comment on or make changes to this bug.