-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fedora iot-simplified-installer fdo re-encryption failed #3726
Comments
@runcom @7flying Could you please take a look of this bug? And I found a similar bug was filed before https://bugzilla.redhat.com/show_bug.cgi?id=2220851 |
fdo client log: [simple@localhost home]$ journalctl -u fdo-client-linuxapp.service fdo aio serviceinfo config file: |
@yih-redhat we need the logs from the manufacturing-client.service, if you have them
that one was a TPM issue, don't know yet if this will also be the case, but we'll need the manufacturing logs. Thanks |
This might be selinux issue, I think. @yih-redhat Could you please check the selinux fix in RHEL 9 in Fedora? Thanks. |
sure, could you please let me know the steps to check the selinux fix? |
I do found below denied avc log for /tmp/fdouser, but after I changed to use /var/lib/fdo/fdouser, I didn't see it anymore. type=AVC msg=audit(10/09/2023 08:35:03.580:9660) : avc: denied { open } for pid=232024 comm=fdo-serviceinfo path=/tmp/fdouser dev="tmpfs" ino=251 scontext=system_u:system_r:fdo_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 |
It's selinux issue. The selinux fdo fix in RHEL should be landed in Fedora. |
This is what I've got:
So, it is selinux, but not our typical case! |
Linked the issue to our issue tracker: fedora-iot/iot-distro#8 |
Verifying this bug with build https://koji.fedoraproject.org/koji/buildinfo?buildID=2320649 |
Verified this bug with build https://koji.fedoraproject.org/koji/buildinfo?buildID=2320649, fixed, the fdo re-encryption works as expected. |
Describe the bug
provision edge vm with iot-simplified-installer, install a failing health check unit and rollback, then check fdo re-encryption by command "cryptsetup luksDump /dev/vda3". The expected result is there is no "cipher_null-ecb" in output, but actually "cipher_null-ecb" is in the output.
The same test passed on rhel and centos-stream, the difference is we check /dev/vda4 on these os, with command "cryptsetup luksDump /dev/vda4", so I guess maybe the root reason is that fedora image only has /dev/vda3, and rhel/centos has /dev/vda4.
Environment
/etc/os-release
and/etc/redhat-release
):rpm -qi osbuild-composer)
To Reproduce
Steps to reproduce the behavior:
"rpm-ostree install --cache-only https://s3.amazonaws.com/org.osbuild.test-dependencies/greenboot-failing-unit-1.0-1.el8.noarch.rpm --reboot"
[simple@localhost ~]$ sudo cryptsetup luksDump /dev/vda3
[sudo] password for simple:
LUKS header information
Version: 2
Epoch: 6
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 05ad1795-54bc-4a57-bb01-9082f86a774d
Label: crypt_root
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: cipher_null-ecb
sector: 512 [bytes]
Keyslots:
1: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 1000
Salt: 6c 19 c0 8e 05 f0 05 21 42 70 98 5a 07 c9 19 8a
d0 7a d8 ef 16 14 95 be 94 9e d2 d8 46 bf 16 0f
AF stripes: 4000
AF hash: sha256
Area offset:163840 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
0: clevis
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 1000
Salt: 75 96 82 66 56 55 02 a1 0a 63 58 db b2 c9 60 fd
3b cd 8d fe ef cf 39 76 73 7d 68 8e b0 6f f7 aa
Digest: b9 fb 7b a8 6f 2b 91 20 e2 8f b7 b4 2a 6f 67 09
7e bf b3 2b 45 2b c1 1c be 23 d9 dc e0 54 f2 48
Expected behavior
there is no "cipher_null-ecb" in output
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: