Jammy verification:
Part 1:
FIPS enabled:
ubuntu@superb-doe:~$ cat /proc/sys/crypto/fips_enabled
1
Clevis version installed:
ubuntu@superb-doe:~$ apt list clevis
Listing... Done
clevis/jammy-proposed,now 18-1ubuntu1.1 amd64 [installed]
N: There is 1 additional version. Please use the '-a' switch to see it
4. ubuntu@superb-doe:~$ sudo parted /dev/vdb -- mklabel gpt
Warning: The existing disk label on /dev/vdb will be destroyed and all data on
this disk will be lost. Do you want to continue?
Yes/No? Y
Information: You may need to update /etc/fstab.
ubuntu@superb-doe:~$ sudo parted /dev/vdb -- mkpart primary 0% 100%
Information: You may need to update /etc/fstab.
5. ubuntu@superb-doe:~$ sudo OPENSSL_FORCE_FIPS_MODE=0 cryptsetup luksOpen
/dev/vdb1
Command requires device and mapped name as arguments.
ubuntu@superb-doe:~$ sudo OPENSSL_FORCE_FIPS_MODE=0 cryptsetup luksOpen
/dev/vdb1 tpm-disk
Enter passphrase for /dev/vdb1:
6. ubuntu@superb-doe:~$ sudo OPENSSL_FORCE_FIPS_MODE=0 clevis luks bind -d
/dev/vdb1 tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"6"}'
Enter existing LUKS password:
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
7. As we can see pbkdf2 was added:
ubuntu@superb-doe:~$ sudo cryptsetup luksDump /dev/vdb1 | grep PBKDF:
PBKDF: argon2id
PBKDF: pbkdf2
Part 2: verifying if older argon2id drives are still accessible
1. Confirm that non-proposed version is installed:
ubuntu@superb-doe:~$ apt list clevis -a
Listing... Done
clevis/jammy-proposed 18-1ubuntu1.1 amd64 [upgradable from: 18-1ubuntu1]
clevis/jammy,now 18-1ubuntu1 amd64 [installed,upgradable to: 18-1ubuntu1.1]
Make sure that argon2id is used:
ubuntu@superb-doe:~$ sudo OPENSSL_FORCE_FIPS_MODE=0 clevis luks bind -d
/dev/vdb1 tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"6"}'
Enter existing LUKS password:
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
ubuntu@superb-doe:~$ sudo cryptsetup luksDump /dev/vdb1 | grep PBKDF:
PBKDF: argon2id
PBKDF: pbkdf2
PBKDF: argon2id
2. mount and add data to the drive while using argon2id
ubuntu@superb-doe:~$ sudo mkfs.ext4 /dev/mapper/tpm-disk
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 257536 4k blocks and 64384 inodes
Filesystem UUID: 32ffc09e-c2bc-43f4-baf8-34a5b11b1d27
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
ubuntu@superb-doe:~$ mkdir mnt-tpm
ubuntu@superb-doe:~$ sudo mount -t ext4 /dev/mapper/tpm-disk
/home/ubuntu/mnt-tpm
ubuntu@superb-doe:~/mnt-tpm$ sudo touch test-file
ubuntu@superb-doe:~/mnt-tpm$ cat test-file
Hello world!
We can that the file contains "Hello world!"
3. Now after upgrading clevis back to proposed to use pbkdf2:
ubuntu@superb-doe:~$ sudo umount /home/ubuntu/mnt-tpm
ubuntu@superb-doe:~$ sudo OPENSSL_FORCE_FIPS_MODE=0 cryptsetup luksClose
tpm-disk
ubuntu@superb-doe:~$ apt list clevis
Listing... Done
clevis/jammy-proposed,now 18-1ubuntu1.1 amd64 [installed]
N: There is 1 additional version. Please use the '-a' switch to see it
4. open the luks drive:
ubuntu@superb-doe:~$ sudo OPENSSL_FORCE_FIPS_MODE=0 cryptsetup luksOpen
/dev/vdb1 tpm-disk
Enter passphrase for /dev/vdb1:
ubuntu@superb-doe:~$ sudo mount -t ext4 /dev/mapper/tpm-disk
/home/ubuntu/mnt-tpm/
5. verify if the files are accessible:
ubuntu@superb-doe:~$ sudo cryptsetup luksDump /dev/vdb1 | grep PBKDF:
PBKDF: argon2id
PBKDF: pbkdf2
PBKDF: argon2id
ubuntu@superb-doe:~$ cat mnt-tpm/test-file
Hello world!
ubuntu@superb-doe:~$
This confirms that the argon2id files are still accessible!
** Tags removed: verification-needed-jammy
** Tags added: verification-done-jammy
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073429
Title:
Jammy clevis forces argon2id for keyslots
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/2073429/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
