Sealing key doesn't support unbound keyslots

[thedafidev]

Bug description

When sealing the LUKS key to the TPM (sealed/unsealed by LUKS TPM Disk Unlock Key passphrase), I got this output:

[  192.208330] TRACE: /bin/kexec-seal-key(35): main
[  192.211658] DEBUG: Devices defined for disk encryption: /dev/sda3
[  192.213755] DEBUG: No LVM volume group defined for activation
[  192.514490] DEBUG: PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  192.515795] PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  192.517103] PCR-02: A2 78 22 B9 0E 91 18 88 10 B8 C1 11 17 08 BA 28 1C 09 10 E4
[  192.518412] PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  192.519734] PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  192.521078] PCR-05: 22 CE 9A 09 AA 87 AB 11 1B 27 15 38 D9 FD 19 38 1D FE 17 18
[  192.522398] PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  192.523739] PCR-07: 14 9A 1B 54 81 1E 22 91 CB 19 5C A8 27 EE C5 1F 86 1B 3C 9E
Enter LUKS Disk Recovery Key (DRK) passphrase that can unlock /dev/sda3
[  222.527207] DEBUG: Testing /tmp/secret/recovery.key keyfile created from provided passphrase against /dev/sda3 individual key slots
++++++ /dev/sda3: LUKS device unlocked successfully with the DRK passphrase
New LUKS TPM Disk Unlock Key (DUK) passphrase for booting:
Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting:
++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase
[  312.383080] DEBUG: /dev/sda3: LUCKv2 device detected
[  312.389215] DEBUG: /dev/sda3 LUKS key slots: 0 1 (unbound)
[  312.391667] DEBUG: Testing LUKS key slot 0 against /tmp/secret/recovery.key for Disk Recovery Key slot...
[  312.393880] DEBUG: cryptsetup open --test-passphrase --key-slot 0 --key-file /tmp/secret/recovery.key /dev/sda3
[  313.331333] DEBUG: cryptsetup: exited with status 1
[  313.333545] DEBUG: Testing LUKS key slot 1 against /tmp/secret/recovery.key for Disk Recovery Key slot...
[  313.335802] DEBUG: cryptsetup open --test-passphrase --key-slot 1 --key-file /tmp/secret/recovery.key /dev/sda3
[  314.106563] DEBUG: cryptsetup: exited with status 1
[  314.108802] DEBUG: Testing LUKS key slot (unbound) against /tmp/secret/recovery.key for Disk Recovery Key slot...
[  314.111261] DEBUG: cryptsetup open --test-passphrase --key-slot (unbound) --key-file /tmp/secret/recovery.key /dev/sda3
Usage: cryptsetup [-?VqrvyN] [-?|--help] [--usage] [-V|--version] [--active-name=STRING] [--align-payload=SECTORS] [--allow-discards]
        [-q|--batch-mode] [--cancel-deferred] [-c|--cipher=STRING] [--debug] [--debug-json] [--decrypt] [--deferred]
        [--device-size=bytes] [--disable-blkid] [--disable-external-tokens] [--disable-keyring] [--disable-locks]
        [--disable-veracrypt] [--dump-json-metadata] [--dump-volume-key] [--encrypt] [--external-tokens-path=STRING]
        [--force-password] [--force-offline-reencrypt] [--force-no-keyslots] [-h|--hash=STRING] [--header=STRING]
        [--header-backup-file=STRING] [--hotzone-size=bytes] [--hw-opal] [--hw-opal-factory-reset] [--hw-opal-only] [--init-only]
        [-I|--integrity=STRING] [--integrity-inline] [--integrity-key-size=BITS] [--integrity-legacy-padding] [--integrity-no-journal]
        [--integrity-no-wipe] [-i|--iter-time=msecs] [--iv-large-sectors] [--json-file=STRING] [--keep-key] [--key-description=STRING]
        [-d|--key-file=STRING] [-s|--key-size=BITS] [-S|--key-slot=INT] [--keyfile-offset=bytes] [-l|--keyfile-size=bytes]
        [--keyslot-cipher=STRING] [--keyslot-key-size=BITS] [--label=STRING] [--link-vk-to-keyring=STRING]
        [--luks2-keyslots-size=bytes] [--luks2-metadata-size=bytes] [--new-keyfile=STRING] [--new-keyfile-offset=bytes]
        [--new-keyfile-size=bytes] [--new-key-description=STRING] [--new-key-size=BITS] [--new-key-slot=INT] [--new-token-id=INT]
        [--new-volume-key-file=STRING] [--new-volume-key-keyring=STRING] [-o|--offset=SECTORS] [--pbkdf=STRING]
        [--pbkdf-force-iterations=LONG] [--pbkdf-memory=kilobytes] [--pbkdf-parallel=threads] [--perf-high_priority]
        [--perf-no_read_workqueue] [--perf-no_write_workqueue] [--perf-same_cpu_crypt] [--perf-submit_from_crypt_cpus] [--persistent]
        [--priority=STRING] [--progress-json] [--progress-frequency=secs] [-r|--readonly] [--reduce-device-size=bytes] [--refresh]
        [--resilience=STRING] [--resilience-hash=STRING] [--resume-only] [--sector-size=INT] [--serialize-memory-hard-pbkdf]
        [--shared] [-b|--size=SECTORS] [-p|--skip=SECTORS] [--subsystem=STRING] [--test-args] [--test-passphrase] [-t|--timeout=secs]
        [--token-id=INT] [--token-only] [--token-replace] [--token-type=STRING] [--tcrypt-backup] [--tcrypt-hidden] [--tcrypt-system]
        [-T|--tries=INT] [-M|--type=STRING] [--unbound] [--use-random] [--use-urandom] [--uuid=STRING] [--veracrypt]
        [--veracrypt-pim=INT] [--veracrypt-query-pim] [-v|--verbose] [-y|--verify-passphrase] [--volume-key-file=STRING]
        [--volume-key-keyring=STRING] [-B|--block-size=MiB] [-N|--new] [--use-directio] [--use-fsync] [--write-log]
        [--dump-master-key] [--master-key-file=STRING] [OPTION...] <action> <action-specific>
cryptsetup: invalid numeric value
[  314.145573] DEBUG: cryptsetup: exited with status 1
[  314.145573]  *** WARNING: LUKS key slot 0 is not typical (31 expected) for TPM Disk Unlock Key setup ***
Are you sure you want to wipe it? [y/N]

This is because I have unbound keyslots and kexec-seal-key thinks (unbound) is a keyslot number.

For reference, here is the output of luksDump:

user@home:~$ sudo cryptsetup luksDump /dev/sda3
[sudo] password for amnesia:     
LUKS header information
Version:       	2
Epoch:         	5
Metadata area: 	16136 [bytes]
Keyslots area: 	16742147 [bytes]
UUID:          	783b4383-ab13-bc61-3115-1856ce149cef
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)
Requirements:	online-reencrypt-v2 

Data segments:
  0: crypt
	offset: 16777114 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

  1: crypt
	offset: 16777114 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]
	flags : backup-previous

  2: crypt
	offset: 16777114 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]
	flags : backup-final

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id
	Time cost:  4
	Memory:     489918
	Threads:    4
	Salt:       7c bd 7a 75 6d 62 7c 0d 05 87 19 64 d7 4f e3 0b 
	            76 ac 34 25 10 c7 6c 65 da 02 36 c2 af 6c 58 d8 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
  1: luks2 (unbound)
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id
	Time cost:  4
	Memory:     489918
	Threads:    4
	Salt:       fb 4a 3f 34 3b 93 68 0a 78 f9 79 49 57 38 91 d1 
	            ac 22 00 f0 9b e7 4f 81 66 44 26 e9 79 8a 5d b4 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:290816 [bytes]
	Area length:258048 [bytes]
	Digest ID:  1
  2: reencrypt (unbound)
	Key:        8 bits
	Priority:   ignored
	Mode:       reencrypt
	Direction:  forward
	Resilience: none
	Area offset:548814 [bytes]
	Area length:16228147 [bytes]
	Digest ID:  2
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 84236
	Salt:       b5 85 e6 48 c4 76 d8 70 8b ba 37 a8 56 14 82 aa 
	            eb 09 18 be 05 47 87 d8 a7 d9 85 e6 7b b3 c8 df 
	Digest:     11 94 01 0e da 7c 86 d5 d6 78 7c d2 95 93 3c 69 
	            e9 bf 47 8d c4 25 fb 0a cf f7 13 45 5d fe 9c 39 
  1: pbkdf2
	Hash:       sha256
	Iterations: 1000
	Salt:       97 ea c8 5f 90 f0 34 d1 86 ac 21 a6 dc 4c 95 15 
	            40 57 7c 52 af 33 0b f4 e9 09 04 3c 27 2b 0c d0 
	Digest:     e2 5c e7 54 76 8f 40 b5 96 f9 47 64 db 24 7e 8f 
	            62 71 ed b7 f7 51 02 6f 66 18 d0 f6 a9 04 5b 13 
  2: pbkdf2
	Hash:       sha256
	Iterations: 1000
	Salt:       3a 15 9c a5 30 ba 66 a6 7a 13 34 ad b4 2a 56 13 
	            c2 98 d6 21 24 21 55 e6 b0 6b 20 92 dc 67 1e f5 
	Digest:     dc 09 a3 b7 5c e2 06 47 e1 cd 4b 7b eb 89 fa cc 
	            f4 be 46 5c 83 98 b8 8a 14 28 1d f9 7c 72 8c 21 

My configuration

Board: x230-hotp-maximized
ROM downloaded from heads CircleCI
Flashed via USB upgrade
Commit a44a0ab

[tlaurion]

What is the use case leading to unbound key @thedafidev ? Ways to replicate?

[thedafidev]

I ended up in that state after a failed re-encrypt. Cleaning up the unbound keyslots solved the issue already for my case
I agree it's a very specific bug, but I thought since the partition was still unlockable with the Disk Recovery Key passphrase, heads should be able to seal the key

[tlaurion]

@thedafidev what caused the reencrypt to fail?

The code tries to find DUK to not wipe it. I'm not convinced supporting out of bound (not really existing slot) is good, and could lead to Heads relying on outbound slots it would consider DRK and wipe the rest.

We should not mix cause and effects here and support bad effects. A bug in reencryption (not supposed to happen unless power disconnected) typically renders luks container invalid and needs a réinstallation. Why your luks container survived is actually interesting here, and reencryption failing the thing interesting here. Supporting a weird state without understanding it's cause is not something I intend to support.

What is cause of the reencryption issue?

[tlaurion]

@thedafidev what caused the reencrypt to fail?

The code tries to find DUK to not wipe it. I'm bit convinced supporting out of bound (not really existing slot) is good, and could lead to Heads relying on outbound slots it would consider DRK and wipe the rest.

We should not mix cause and effects here and support bad effects. A bug in reencryption (not support to happen unless power disconnected) typically renders luks container invalid and needs a réinstallation. Why you luks container survived is actually interesting here, and reencryption failing the thing interesting here. Supporting a weird state without understanding it's cause is not something I intend to support.

What is cause of the reencryption issue?

[thedafidev]

I'm actually not sure what exactly caused this state, I had Qubes 4.2 + old version of heads from 2024 installed, upgraded to Qubes 4.3 by performing a full reinstall. I had a blank screen when booting Qubes 4.3 (after loading the kernel with kexec) for a long time so I assumed it froze so I forced shutdown by holding power button. I then figured out the blank screen was probably caused by the old version of heads so I updated it to latest, and when trying to seal the key that's when I saw the text from issue description. I obtained the luksDump by booting from USB and inspecting the disk contents, when I saw a reencrypt keyslot I assumed I stopped a pending operation when I forced shutdown. I still managed to unlock the disk when I was in the live USB OS.

Totally agree with you it's not ok to support a weird state, when I saw cryptsetup complaining of wrong usage trying to open a keyslot numbered (unbound) I thought this must be a bug so I tried to fix it in #2046

Anyway for me everything is working correctly now (heads upgraded to latest version, only one LUKS keyslot (zero unbound), Qubes 3.4 up and running), so feel free to close the issue if you think it's unrelevant