Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
On Tuesday, 24 November 2020 08:55:32 CET Christoph Biedl wrote: > * Re-run tangd-update, the command > > systemctl restart tangd-update.service > > should do the trick. Else manually something like It did. I verified that /var/cache/tang/default.jws did not have «"key_ops": ["deriveKey"]» and then restarting tangd-update.service did regenerate correctly /var/cache/tang/default.jws. Now clevis command is working as expected. Thanks for the help :-)
Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
Control: reassign 975343 tang 7-1
Control: tags 975343 upstream
Control: retitle 975343 tang: Race condition between keygen and update,
resulting in "Key derivation key not available!"
Control: severity 975343 important
Dominique Dumont wrote...
> $ echo foo | clevis encrypt tang '{"url": "http://192.168.1.14"}' > bar.txt
> The advertisement contains the following signing keys:
>
> jvCF5[...]8s5A
>
> Do you wish to trust these keys? [ynYN] y
> Key derivation key not available!
Okay, here's the story: tangd-keygen creates two files in /var/db/tang/, the
second one containing '(...)"key_ops":["deriveKey"](...)'. In parallel,
tangd-update takes all the files in that directory to build (among
other) /var/cache/tang/default.jws. Now if tangd-keygen hasn't finished
the job yet, the second one is not taken into account, and this happens
on slower hardware.
Possibly upstream was in the assumption the multiple After=... in
tangd.socket are being started serialized, not in parallel.
You can check your situation using the following command:
jq -r .payload
signature.asc
Description: PGP signature
Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
Control: tags 975343 confirmed
Dominique Dumont wrote...
> When using tang on armhf, clevis fails:
>
> $ echo foo | clevis encrypt tang '{"url": "http://192.168.1.14"}' > bar.txt
> The advertisement contains the following signing keys:
>
> jvCF5[...]8s5A
>
> Do you wish to trust these keys? [ynYN] y
> Key derivation key not available!
That's bad. The cause is probably tang, and also in buster. I'll do more
checks and will act according to my findings.
Thanks for reporting,
Christoph
signature.asc
Description: PGP signature
Bug#975343: clevis encrypt tang fails with "Key derivation key not available!"
Package: clevis
Version: 13-2
Severity: normal
Dear Maintainer,
I've setup clevis from Debian/unstable on an amd64 machine and tang
on an armhf system (an OLinuXino card).
When using tang on armhf, clevis fails:
$ echo foo | clevis encrypt tang '{"url": "http://192.168.1.14"}' > bar.txt
The advertisement contains the following signing keys:
jvCF5[...]8s5A
Do you wish to trust these keys? [ynYN] y
Key derivation key not available!
On the other hand, clevis runs fine when using tang installed on the
same amd64 system (which is somewhat less useful):
$ echo foo | clevis encrypt tang '{"url": "http://127.0.0.1"}' > bar.txt
The advertisement contains the following signing keys:
p4n0[...]f99qM
Do you wish to trust these keys? [ynYN] y
All the best
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages clevis depends on:
ii cracklib-runtime2.9.6-3.2+b2
ii curl7.72.0-1
ii jose10-3
ii libc6 2.31-4
ii libjansson4 2.13.1-1
ii libjose010-3
ii libpwquality-tools 1.4.2-1+b2
ii libssl1.1 1.1.1h-1
ii luksmeta9-3
Versions of packages clevis recommends:
ii cryptsetup-bin 2:2.3.4-1
clevis suggests no packages.
-- no debconf information
