clevis luks bind “Unable to fetch advertisement”

Linux, , , ,

Recently looking into automating LUKS encryption processes, I stumbled upon the the following problem: clevis luks bind returns “Unable to fetch advertisement”.

The error message tells all and nothing. I found that with clevis’ tooling chain, it can be difficult to pinpoint problems easily. After some time I figured that the shell I ran this on had http_proxy environment variables set and therefore the curl-command used in the clevis tooling chain was fetching via the configured http proxy, which denied the connection with a 403 Forbidden error.

It was so unclear because clevis did not output any such error (inside the tooling chain it runs “curl -sfg” which silences all output).

Therefore make sure that the requests can succeed. Make sure that the environment the “clevus luks bind” command runs from does not have any unintended environment variables set, such as http_proxy or https_proxy.

Run “clevis luks bind” as late-command in subiquity/autoinstall

Linux, , ,

There are different approaches and methods for implementing file system encryption on Linux servers, sometimes depending on the file system itself. LUKS is independent of the file system, forming a layer on the block device but under the file system.

Manual encryption is the standard, where the initramfs launches a small program for passphrase entry. To automate the whole thing, you can utilize your machine’s TPM 2.0 module.

Within production environments it may be feasible to combine TPM 2.0 with Clevis/Tang as fallback, where, when the TPM 2.0 gets reset due to a firmware-upgrade or user fault, there is a still automated fallback. If that one fails, there will always be the manual passphrase entry, but only as a absolute last resort.

Within production environments it is also common to deploy nodes automatically. One could rely for example on the Subiquity installer with autoinstall. For this several files are required, including a user-data file which contains most of the required instructions and data for an automated install. To incorporate the automated LUKS unlock with TPM 2.0 and Clevis/Tang, a couple of commands must be run in the installation process. autoinstall is extremely picky when it comes to escaping, hence this post with a working solution:

  late-commands:
    - apt-get -y install clevis clevis-tpm2 clevis-luks clevis-udisks2 clevis-systemd clevis-initramfs
    - printf "supersecret" | clevis luks bind -y -k - -d /dev/sda3 sss '{"t":1,"pins":{"tpm2":{},"tang":{"url":"http://tang01.local"}}}'

These two late commands are formatted and tested in the autoinstall of Ubuntu 24.04.

ThinkBook G13/G13s G4 IAP and similar microphones not working recently

Nicht kategorisiert

I just experienced a strange behaviour with the named ThinkBook’s, that affects G13 G4 books and similar devices. After an upgrade of “Elevoc AudioProcessingObject” to (in my case) 4.0.5.199 via Windows Update, the microphone just stopped working.

After finding a thread on reddit about this, I installed the latest 5.0.5.238, which also did not work. Scrolling through the thread revealed that a user had this exact problem even with the latest 5.0.5.238 version. Installing 5.0.5.234 manually via device manager fixed the problem immediately, even without a restart.

https://catalog.update.microsoft.com/Search.aspx?q=Elevoc

Shows the available packages as .cab. They can be extracted manually and then installed via the device manager. Downgrade works by uninstalling or downgrading to a previous version, then rolling forward as much as needed.

Problems with Ubuntu 24.04 in VirtualBox 7.0.20 VM on a Windows 10 host

Linux,

I recently had the bright idea to upgrade to Ubuntu 24.04 inside my Ubuntu VM that is running with VirtualBox 7.0.20 on Windows 10.

As you propably guessed: Its a catastrophy.

Not only is there problems with the vmwgfx driver that comes with newer kernels but also Xorg fallback mode is not working anymore. There was regular stack traces at boot that could be to some part fixed by enabling hpet mode.

It also shows regular boot delays or fully gets stuck related to systemd-resolved, oomd or timesyncd.

At this point I would like to show you possibilities to prevent these problems, but I got no advice more than the things mentioned above and disabling 3D acceleration in the settings + using the VMSVGA graphics mode.

I have also tried the VirtualBox 7.1 Beta 1, with no improvements.

Running Dell C1660w/Xerox Phaser 6000B on Ubuntu 24.04

Linux, , , ,

No matter if you are a Windows-, Linux- or Mac-Person, the way some producers of peripheral devices such as printers, plotters, scanners, sensors, diagnostics tools handle their software support, frankly, sucks.

I want to try to supply you with some instructions on how to get a Dell C1660w, a Dell branded version of the Xerox Phaser 6000B, running on your latest Linux distro with a 100% satisfaction guarantee1.

Continue reading Running Dell C1660w/Xerox Phaser 6000B on Ubuntu 24.04

Fun with regex: We match the requirements for the HTTPS DNS record type defined by RFC 9460

Linux, PHP, , ,

To be able to fully read, understand and transfer RFCs into a standard-aligned application can be very difficult. You may become a lawyer as well.

We start off with section 2.1 of RFC 9460 which defines the following rules for us to apply:

  • the record data must be formatted as “SvcPriority TargetName SvcParams” where
    • SvcPriority is a number between 0 and 65535
    • TargetName is a domain-name, which is a combination of texts (labels) that can contain alphabetic characters, digits and hyphens, these labels can be up to 63 characters each and can be bonded together using dots up to a length of 255 characters
      • Note: The domain-name is not specified in RFC 9460, but already in RFC 1035
    • SvcParam is one or more of either only a key such as ‘mykey’ or a key-value pair such as ‘mykey=”myvalue”‘ where the quotation mark is mandatory
Continue reading Fun with regex: We match the requirements for the HTTPS DNS record type defined by RFC 9460