fdesetup usingrecoverykey reports false after using PRK/IRK with fdesetup authrestart

Originator:owen.pragel
Number:rdar://28163245 Date Originated:05-Sep-2016 01:06 PM
Status:Behaves correctly Resolved:20-Sep-2016
Product:OS X Product Version:10.11.6
Classification:Security Reproducible:Always
 
Summary:
After using a machine's FileVault 2 PRK/IRK to reboot a machine with fdesetup authrestart, fdesetup usingrecoverykey reports false instead of true. We always want to rotate PRKs after they have been used, but if they're used with authrestart, usingrecoverykey will not indicate that.

Is this working as intended?

Steps to Reproduce:
$ sudo fdesetup usingrecoverykey
false
$ sudo fdesetup authrestart
Enter a password for '/', or the recovery key: <recovery-key>
[Restored Sep 5, 2016, 4:41:01 AM]
Last login: Mon Sep  5 04:41:05 on console
Restored session: Mon Sep 5 04:40:20 PDT 2016
$ sudo fdesetup usingrecoverykey
false

Expected Results:
$ sudo fdesetup authrestart
Enter a password for '/', or the recovery key: <recovery-key>
[Restored Sep 5, 2016, 4:41:01 AM]
Last login: Mon Sep  5 04:41:05 on console
Restored session: Mon Sep 5 04:40:20 PDT 2016
$ sudo fdesetup usingrecoverykey
true

Actual Results:
$ sudo fdesetup authrestart
Enter a password for '/', or the recovery key: <recovery-key>
[Restored Sep 5, 2016, 4:41:01 AM]
Last login: Mon Sep  5 04:41:05 on console
Restored session: Mon Sep 5 04:40:20 PDT 2016
$ sudo fdesetup usingrecoverykey
false

Version:
10.11.6, 10.10.5

Notes:


Configuration:
This occurs 100% of the time on all versions of OS X tested.

Attachments:

Comments

Closing this. fdesetup usingrecovery is working as intended, issue is that we want to track all PRK/IRK usage.

"fdesetup authrestart is stashing a one-time unlock key in RAM or in the SMC. The unlock key is cleared by the reboot process, so the expected behavior would be that fdesetup usingrecovery would return as false."

By owen.pragel at Sept. 5, 2016, 8:17 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!