1979256 – clevis added LUKS2 keyslots does not have to use LUKS2 pbkdf defaults for new keyslots.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1979256 - clevis added LUKS2 keyslots does not have to use LUKS2 pbkdf defaults for new keyslots.

Summary: clevis added LUKS2 keyslots does not have to use LUKS2 pbkdf defaults for new...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	clevis
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sergio Correia
QA Contact:	Martin Zelený
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-05 12:14 UTC by Renaud Métrich
Modified:	2024-10-01 18:53 UTC (History)
CC List:	9 users (show)
Fixed In Version:	clevis-15-6.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 13:52:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Kickstart (1.87 KB, text/plain) 2021-07-05 12:14 UTC, Renaud Métrich	no flags	Details
Grub config to install the VM (617 bytes, text/x-matlab) 2021-07-05 12:16 UTC, Renaud Métrich	no flags	Details
libvirt "default" network XML to be able to UEFI+HTTP boot (760 bytes, text/plain) 2021-07-05 12:17 UTC, Renaud Métrich	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	latchset clevis pull 339	0	None	open	luks: explicitly specify pbkdf iterations to cryptsetup	2021-10-21 12:20:41 UTC
Red Hat Product Errata	RHBA-2022:1857	0	None	None	None	2022-05-10 13:52:53 UTC

Description Renaud Métrich 2021-07-05 12:14:23 UTC

Created attachment 1798118 [details]
Kickstart

Created attachment 1798118 [details]
Kickstart

Description of problem:

Trying to install a QEMU/KVM with 2GB of memory (which should be enough for RHEL8.4) with Luks + TPM2 unlocking, it appears that installing through the network is not possible: cryptsetup called by "clevis luks bind" gets killed by OOM killer:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# chroot /mnt/sysimage 
# clevis luks bind -f -k - -d /dev/vda3 tpm2 '{"pcr_ids":"7"}' <<< "temppass"
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
/bin/clevis-luks-bind: line 198: 54461 Killed                  cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

OOM-Kill:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Jul 05 11:58:19 vm-tpm84 kernel: Out of memory: Killed process 54461 (cryptsetup) total-vm:1148728kB, anon-rss:724452kB, file-rss:13920kB, shmem-rss:0kB, UID:0 pgtables:1600kB oom_score_adj:0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Initially I though about some leak, but executing under Valgrind works for some reason, as if less memory was getting used (or valgrind allocates differently).

Booting with 4GB works, it seems cryptsetup uses ~1GB RSS at some point in time.


Version-Release number of selected component (if applicable):

cryptsetup-2.3.3-4.el8.x86_64


How reproducible:

Always

Steps to Reproduce:

1. Boot a UEFI VM with 2GB over the network (UEFI+HTTP boot), with TPM2 emulated device

  RHEL8.4 DVD mounted on http://192.168.122.1/rhel84 (/var/www/html/rhel84 on my HTTP server)


  UEFI+HTTP bootloader available as http://192.168.122.1/EFI/rhel84/:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # mkdir -p /var/www/html/EFI/rhel84
  # cp /var/www/html/rhel84/EFI/BOOT/* /var/www/html/EFI/rhel84/
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  Edit /var/www/html/EFI/rhel84/grub.cfg to specify the boot params for the VM (attached for convenience)

  libvirt "default" network configuration to UEFI+HTTP boot (path to BOOTX64: http://192.168.122.1/EFI/rhel84/BOOTX64.EFI):
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  <network xmlns:dnsmasq='http://libvirt.org/schemas/network/dnsmasq/1.0' connections='1'>
  <name>default</name>
  <uuid>e2d07733-03c4-448c-a9b1-5b192f7010a9</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:5a:ef:0d'/>
  <domain name='libvirt' localOnly='yes'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'/>
  <dnsmasq:options>
    <dnsmasq:option value='dhcp-vendorclass=set:efi-http,HTTPClient:Arch:00016'/>
    <dnsmasq:option value='dhcp-option-force=tag:efi-http,60,HTTPClient'/>
    <dnsmasq:option value='dhcp-boot=tag:efi-http,&quot;http://192.168.122.1/EFI/rhel84/BOOTX64.EFI&quot;'/>
  </dnsmasq:options>
  </network>
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  tpm8.4 XML attached for convenience

  kickstart "tpm8.ks" attached for convenience (root password: "redhat")


Actual results:

"clevis luks bind" aborts.


Expected results:

Success

Comment 1 Renaud Métrich 2021-07-05 12:16:24 UTC

Created attachment 1798120 [details]
Grub config to install the VM

Comment 2 Renaud Métrich 2021-07-05 12:17:44 UTC

Created attachment 1798122 [details]
libvirt "default" network XML to be able to UEFI+HTTP boot

Comment 3 Ondrej Kozina 2021-07-08 09:02:50 UTC

Cryptsetup simply can not change defaults here. The utility does not know the use case for the keyslot and it aims to achieve highest security possible for the user by default.

cryptsetup luksAddKey action aims to use half system memory with argon2 pbkdf (or 1GiB whatever hits first). But yes, if the system is under memory pressure it leads to oom. Please mind that memory cost is core feature of memory hard pbkdf function. It serves to protect LUKS2 passphrases against parallel attack performed on systems with high parallel core count but expensive memory (GPUs).

I see following posibilities:

a) you can lower memory cost of pbkdf by adding --pbkdf-memory limit in KiB
b) you can switch to back to pbkdf2 with --pbkdf pbkdf2

this needs to be verified by clevis/tang maintainer:
c) Maybe clevis can safely switch to minimal pbkdf values since I expect new passphrase provided by clevis during luksAddKey action is in fact cryptographicly strong key (key generated with high entropy).

Is that correct Sergio?

example for c) would look like this:

cryptsetup luksAddKey cryptsetup luksAddKey --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --key-file <(echo -n "${existing_key}") "$DEV"

But please bear in mind that c) is safe only if the 'new_passphrase' is generated using approved random key generator. I don't know clevis/tang internals good enough to verify that.

Comment 4 Ondrej Kozina 2021-07-08 09:05:35 UTC

Systemd does something very similar when it's aware new passphrase has key generated with high entropy

Comment 5 Sergio Correia 2021-07-08 12:13:57 UTC

(In reply to Ondrej Kozina from comment #3)

[...]

> 
> this needs to be verified by clevis/tang maintainer:
> c) Maybe clevis can safely switch to minimal pbkdf values since I expect new
> passphrase provided by clevis during luksAddKey action is in fact
> cryptographicly strong key (key generated with high entropy).
> 
> Is that correct Sergio?
> 

Yes -- the key is currently generated with pwmake and 256 bits of entropy.

> example for c) would look like this:
> 
> cryptsetup luksAddKey cryptsetup luksAddKey --pbkdf pbkdf2
> --pbkdf-force-iterations 1000 --key-file <(echo -n "${existing_key}") "$DEV"
> 

Renaud: could you check if something like this helps?

> But please bear in mind that c) is safe only if the 'new_passphrase' is
> generated using approved random key generator. I don't know clevis/tang
> internals good enough to verify that.

Comment 6 Ondrej Kozina 2021-07-08 12:24:33 UTC

(In reply to Sergio Correia from comment #5)
> (In reply to Ondrej Kozina from comment #3)
> 
> [...]
> 
> > 
> > this needs to be verified by clevis/tang maintainer:
> > c) Maybe clevis can safely switch to minimal pbkdf values since I expect new
> > passphrase provided by clevis during luksAddKey action is in fact
> > cryptographicly strong key (key generated with high entropy).
> > 
> > Is that correct Sergio?
> > 
> 
> Yes -- the key is currently generated with pwmake and 256 bits of entropy.
> 
> > example for c) would look like this:
> > 
> > cryptsetup luksAddKey cryptsetup luksAddKey --pbkdf pbkdf2
> > --pbkdf-force-iterations 1000 --key-file <(echo -n "${existing_key}") "$DEV"
> > 
> 
> Renaud: could you check if something like this helps?

I had a typo in the example, use this one instead:

cryptsetup luksAddKey --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --key-file <(echo -n "${existing_key}") "$DEV""

Comment 7 Renaud Métrich 2021-07-08 13:35:51 UTC

I can confirm this works fine on a 2GB system which has not much free during installation:

[anaconda root@vm-tpm84 ~]# free
              total        used        free      shared  buff/cache   available
Mem:        2005084     1087568       70380      388900      847136      364996
Swap:       4102228      723456     3378772

Comment 8 Ondrej Kozina 2021-07-08 15:07:47 UTC

as per comment #7 I'm moving it clevis/tang. This change seems reasonable and it would also speed up clevis/tang based device activations with safe clevis generated LUKS2 passphrases.

Comment 13 Renaud Métrich 2022-01-07 08:57:27 UTC

I don't manage to reproduce on my 8.4 VMs anymore, but now I have some issue with the TPM, could be the reason.

Comment 18 errata-xmlrpc 2022-05-10 13:52:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (clevis bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1857

Note You need to log in before you can comment on or make changes to this bug.