Bug#1109055: clevis-initramfs: Possible LUKS2 passphrase lockout if clevis token is not bound to a keyslot

[Wolfgang Zarre]

Package: clevis-initramfs
Version: 19-2
Severity: important

Dear Maintainer,

I discovered, that clevis LUKS2 decrypt will block the possibility to enter a 
passphrase
if a clevis token is not bound to a LUKS2 keyslot.

After several decryption retries it will end up at the initramfs prompt.

The root cause is that in the initrd script scripts/local-top/clevis in function
luks2_decrypt existing unbound clevis tokens are not filtered but then decrypted
and passed to PASSFIFO.

It is reproducible with clevis luks bind, e.g.:
clevis luks bind -f -y -k <our-keyfile> -d <root_device> tpm2 <PCR_bind>

Then removing the keyslot of a token/keyslot pair with:
cryptsetup luksKillSlot <root_device>  <keyslot number>

With cryptsetup luksDump <root_device> you would see then e.g.:
...
Tokens:
   0: clevis
Digests:
...

After a reboot obviously clevis cannot decrypt but furthermore, it is impossible
to enter the passphrase.


Suggestion to fix:
---------------------------------------------------------------
--- /usr/share/initramfs-tools/scripts/local-top/clevis
+++ /usr/share/initramfs-tools/scripts/local-top/clevis
@@ -78,7 +78,8 @@ luks1_decrypt() {
  luks2_decrypt() {
      local CRYPTTAB_SOURCE=$1
      local PASSFIFO=$2
-    cryptsetup luksDump "$CRYPTTAB_SOURCE" | sed -rn 's|^\s+([0-9]+): 
clevis|\1|p' | while read -r 
id; do
+    # Just utilise keyslot assigned token
+    cryptsetup luksDump "$CRYPTTAB_SOURCE" | awk '{ if( $1 == "Keyslot:" && 
token == "clevis" && id 
 >= 0 && $2 >= 0 ) {printf( "%d\n", id);}; id = $1; token = $2 ;}' | while read 
 >-r id ; do
          # jose jwe fmt -c outputs extra \n, so clean it up
          cte=$(cryptsetup token export --token-id "$id" "$CRYPTTAB_SOURCE")
          [ $? -eq 0 ] || continue
---------------------------------------------------------------

This could be also fixed with a bash loop without awk or sed if a newer bash 
syntax would be ok.


Cheers,
Wolf



-- System Information:
Debian Release: 12.11
   APT prefers stable-security
   APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-37-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clevis-initramfs depends on:
ii  clevis-luks      19-2
ii  initramfs-tools  0.142+deb12u3

clevis-initramfs recommends no packages.

clevis-initramfs suggests no packages.

-- no debconf information