-
-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tomb 2.9.0 as root with smartcard [Bug? + Workaround] #449
Comments
Hi @so-rose and thanks for the detailed description! I suspect that it may be possible to detect the specific situation of calling tomb from root user and then add the pinentry-loopback option to gpg invokation. |
@jaromil Sure thing! Hoped it might be of help to others. Would you be open to a PR that detects root invocation (not just sudo) and injects If you'd like, I could also document the firmware-key usage somewhere. I don't know where would be best, though? |
Yes, that would be good, as long as it doesn't break current tests. |
Hi @so-rose ! in case you are still up for this, I keep this issue open. It is a very interesting use case so please let us know if we can link your docs on firmware-key usage and of course you are welcome to file such a PR, else I'll do it myself. |
Will try, any help crafting the right check is very welcome. |
A little background first. I'm using Secure Boot, which requires one to sign kernel modules with a user-generated, firmware-enrolled key. Anybody with this key can theoretically execute kernel-level code. Therefore, I'm attempting to use
tomb
to make these keys inaccessible without a GPG private key, stored on a piece of hardware (Yubikey).This is my setup for running tomb:
uname -a
:Linux <> 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux
)root
(Secure Boot kernel module signing keys shouldn't touch non-root users)I'm running the following commands as
root
, with no preexisting/root/.gnupg
:The Problem
Running a similar script (
s/root/$HOME/g
) as a normal user works perfectly: The GUI pinentry shows, all is well.As
root
, however,tomb lock
fails insisting that there's no valid password (<>
is redaction):It seems like
gpg
can't find anywhere to launch itspinentry
. I observed:pinentry
never launches. Neither in the terminal or GUI. Switchingpinentry
to point atpinentry-tty
also doesn't help. This makes this problem distinct from the solved Unable to lock tomb using GPG #251.pinentry
out to point topinentry-tty
(usingupdate-alternatives
) does has two effects:Inappropriate ioctl for device
is switched out forInvalid IPC response
.gnome3:curses
alone is switched out fortty
.All in all, it seems like☹️
gpg
doesn't know how to launch thepinentry
, and thus just fails.tomb
gets no secret to unlock the key with, and thus - notomb
The Workaround
I noticed that the end of
gpg_decrypt
was where the criticalgpg
invocation was in the locking/opening procedure:Tomb/tomb
Lines 1118 to 1121 in f35ad11
As it seemed like the
pinentry-mode
was an issue. I tried setting/root/.gnupg/gpg.conf
after reading things like https://superuser.com/questions/520980/how-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords, but this didn't seem to get picked up on.Finally, because of answers like https://stackoverflow.com/questions/18123918/why-is-gpg-not-working-even-with-pinentry-installed, I tried adding
--pinentry-mode loopback
:Now, when I run the same command as
root
, it works!Again, it's curious that it still doesn't call the pinentry. This also breaks
tomb
when used as a non-root user.Patch
If I understood the problem better, I'd be happy to suggest a PR. Perhaps a CLI option to explicitly turn on loopback pinentry? For now, I just have a patch (works on the Debian 11 version of
tomb
; I haven't tested upstream. It should be easy enough to modify the line number1123
below to work on anytomb
install)tomb-loopback.patch
used with:
Whenever I need to run
tomb
asroot
, I just wrap it in the patch:When actually signing kernel modules via DKMS, I just modified
/etc/dkms/sign_helper.sh
to patchtomb
, openmok.tomb
(with GPG and-p
, to avoidchown
ing files to a user calling viasudo
), sign,tomb slam
and unpatchtomb
.Thus, it's been achieved that no kernel modules can be signed without the presence of the smartcard w/the GPG private key 😄
System Info
Here's
tomb -v
:The text was updated successfully, but these errors were encountered: