debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #06403
[Bug 2115391] Re: systemd-pcrlock log fails to read hyper-v vTPMs on Azure
Hello Matthew, or anyone else affected,
Accepted systemd into noble-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/systemd/255.4-1ubuntu8.11 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
noble to verification-done-noble. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-noble. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: systemd (Ubuntu Noble)
Status: In Progress => Fix Committed
** Tags added: verification-needed verification-needed-noble
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2115391
Title:
systemd-pcrlock log fails to read hyper-v vTPMs on Azure
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Noble:
Fix Committed
Bug description:
[Impact]
On Azure, running "systemd-pcrlock log" fails with:
$ sudo /usr/lib/systemd/systemd-pcrlock log
Hash algorithms in event log record don't match log.
This is because the hyper-v vTPMs announce the hash algorithms in the header
in a different order than what is actually written in the log. The patch changes
systemd-pcrlock to search for the correct mapping instead of using the order
in the header.
There are no workarounds.
[Testcase]
On Azure, boot a VM with Security type set to "Trusted launch virtual machines"
or "Confidential virtual machines".
I recommend "Trusted launch virtual machines" with size
Standard_D2s_v3.
Run systemd-pcrlock:
$ sudo /usr/lib/systemd/systemd-pcrlock log
Hash algorithms in event log record don't match log.
The expected result is a screenful of TPM PCR registers with their contents,
as well as a colour and an emoji indicating if the computed result is good or
not.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf409402-test
If you install the test packages, systemd-pcrlock works as expected.
[Where problems can occur]
This changes how systemd-pcrlock opens and reads the tpm2 eventlog. This should
be just a readonly operation, so a regression would not tamper with or modify
any TPM PCR registers.
If a regression were to occur, users could potentially not be able to run
"systemd-pcrlock log" against their TPMs on their systems, and not be able to
verify attestation of their boot.
A regression could also prevent users from using systemd-pcrlock to predict the
next set of TPM PCR values when installing a new kernel image to their system,
which might mean they would have to determine the correct PCR values manually.
A workaround is to use the non-related tpm2-tools package for these calculations
and reading the eventlog.
[Other info]
This was fixed in 256-rc1 by:
commit e90a255e55e3af0effac927ccaa10c2662501e1a
From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
Date: Wed, 21 Feb 2024 14:43:42 +0100
Subject: pcrlock: handle measurement logs where hash algs in header
are announced in different order than in records
Link: https://github.com/systemd/systemd/commit/e90a255e55e3af0effac927ccaa10c2662501e1a
This is in oracular onward, and jammy doesn't have pcrlock, so only noble needs
the fix.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2115391/+subscriptions
References