microsoft / lsvmtools Goto Github PK

Linux Shielded VM Tools -- Tools for managing shielded Linux VMs for use in Hyper-V

License: Other

Makefile 2.12% C 94.39% Shell 3.40% Batchfile 0.08% Vim Script 0.01%

lsvmtools's Issues

lsvmload.efi's assumptions about partition UUIDs or LUKS are undocumented

After careful artisanal crafting (because the scripts are a bit outdated by now), I've managed to do everything except get lsvmload to unlock a LUKS partition. Even with a manually entered passphrase.

I've tried all four combinations for RootDevice and RootDeviceLUKS values (PARTUUID-UUID, UUID-UUID, PARTUUID-PARTUIID, UUID-PARTUUID). If it's some other UUID then it's not generated or shown by the current lsvmprep utility.

I get the impression that UEFI block IO (BIO) might see something different or the Hyper-V UEFI implementation might, but it's unclear what it might be.

The disk is nicely GPT and the partitions are LUKS v1 (I also tried v2, but that didn't change anything).

Log output:

INFO: progress: Checking boot partition
ERROR: failed to find LUKS BIO for uuid: [[Replace with any UUID or PARTUUID]]
INFO: No LUKS BIO found
ERROR: GetBootDevice() failed
ERROR: failed to open the boot parition

Install lsvmtools-1.0.0-x86_64.tar.gz on rhel7.5, get some issues and boot failed

Hi,
I am trying to prepare shielded linux vhdx with rhel OS using lsvmtools-1.0.0-x86_64.tar.gz from https://github.com/Microsoft/lsvmtools/tree/master/binaries, after running ./lsvmprep, get error and failed to boot, could you help to check this? If I misunderstand the script, you can correct me, thanks!

Env:
Guest: rhel7.5, gen2, /root partition is encrypted with "passphrase"
Host: windows server 2016

1. Start vm with rhel7.5 OS and install lsvmtools package, when running lsvmprep, get error:

    # ./lsvmprep
    ./lsvmprep: shim not found

    Reason:
    the shim get value "/boot/efi/EFI/redhat/shim.efi
    /boot/efi/EFI/redhat/shimx64.efi"

    Resolve:
    Update lsvmprep line 159:
    shim=`ls /boot/efi/EFI/${vendor}/shim*.efi | grep -E "shim(x64)?.efi"`
    to
    shim=`ls /boot/efi/EFI/${vendor}/shim*.efi | grep -E "shim(x64)?.efi" | tail -1`


2. Check file scripts/encryptboot format /boot with ext3 not as comment says ext2. Should /boot filesystem be ext2 or ext3?

    251 ### Create EXT2 file system:
    252 mke2fs -j /dev/mapper/boot

    Reason:
    'man mke2fs' check that with -j option means: Create the filesystem with an ext3 journal.
    Command does not match the comment

    Resolve:
    Update scripts/encryptboot line 252 to "mke2fs -t ext2 /dev/mapper/boot"

3. After running ./lsvmprep successfully, before reboot check that can not find the key file /etc/lsvmload/rootkey and /etc/lsvmload/bootkey. Are the 2 key files needed and should be created by script?

    # cat /etc/crypttab
    luks-283e9244-1072-471d-938e-0f01b85ab88d UUID=283e9244-1072-471d-938e-0f01b85ab88d /etc/lsvmload/rootkey
    boot UUID=c47388aa-2328-4035-88de-135002aa2feb /etc/lsvmload/bootkey luks,discard

    # ls -al /etc/lsvmload/rootkey
    ls: cannot access /etc/lsvmload/rootkey: No such file or directory
    # ls -al /etc/lsvmload/bootkey
    ls: cannot access /etc/lsvmload/bootkey: No such file or directory


4. When running ./lsvmprep successfully, start the vm, after the grub menu get error logs, check the default loaded grub.cfg is /boot/efi/EFI/redhat/grub.cfg, should the default loaded grub.cfg file content as /boot/grub2/grub.cfg?

    error: failure reading sector 0x0 from `hd1`.
    error: failure reading sector 0x0 from `hd1`.   
    error: no such device: a4xxxxx.
    error: unknown filesystem.
    error: you need to load the kernel first.

Press any key to continue...

    Reason:
    Check the content is /boot/efi/EFI/redhat/grub.cfg, not expected /boot/grub2/grub.cfg

    2 ways to resolve:
        1) Update lsvmprep to create the new grub.cfg path to "/boot/efi/EFI/redhat/grub.cfg", and rerun ./lsvmprep

        620 ln -s /boot/grub2/grub.cfg /etc/grub2-efi.cfg
        624 local grubcfg=/boot/grub2/grub.cfg

        to
        620 ln -s /boot/efi/EFI/redhat/grub.cfg /etc/grub2-efi.cfg
        624 local grubcfg=/boot/efi/EFI/redhat/grub.cfg


        2) Or after running ./lsvmprep, before reboot, copy /boot/grub2/grub.cfg to /boot/efi/EFI/redhat/, then load the new config file

        # cp /boot/grub2/grub.cfg /boot/efi/EFI/redhat/grub.cfg.new
        # reboot

        Reboot, on the grub cmd line:
        > configfile (hd0,gpt1)/efi/redhat/grub.cfg.new


5. Start a new vm and run the updated scripts, then reboot, get error logs. Should these modules be included by grubx64.efi or other file?

    error: file 'EFI/redhat/x86_64-efi/cryptodisk.mod' not found
    error: file 'EFI/redhat/x86_64-efi/luks.mod' not found
    error: file 'EFI/redhat/x86_64-efi/gcry_rijndael.mod' not found
    error: file 'EFI/redhat/x86_64-efi/gcry_rijndael.mod' not found
    error: file 'EFI/redhat/x86_64-efi/gcry_sha256.mod' not found


    Resolve:
    before reboot, copy the required modules to /boot/efi/EFI/redhat/, then insmod them on the grub cmd line
    # yum install -y grub2-efi-x64-modules
    # cp /usr/lib/grub/x86_64-efi/{cryptodisk.mod,luks.mod,gcry_rijndael.mod,gcry_sha256.mod,procfs.mod} /boot/efi/EFI/redhat/
    # reboot
    > insmod xx.mod


6. Insmod the required modules on grub cmd line, and remove the search line, still get error logs on console:

    error: failure reading sector 0x0 from `hd1`.
    error: failure reading sector 0x0 from `hd1`.
    error: no such device: d0xx.
    error: no server is specified.
    error: you need to load the kernel first.
    Press any key to continue...

Thanks
hhei

Support for newer Linux distros?

For example Ubuntu 18.04

Binary release is unsigned

Even though in theory the prebuilt lsvmload "shim" available in Microsoft's Ubuntu 16.04 repositories should be identical to the binary release one, the binary release is unsigned. Which means it is not directly usable with Hyper-V and Shielded Open-Source VMs.

This repo is missing important files

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.