FS#70285 - [cryptsetup] Unlocking LUKS2 volume with TPM2 in initramfs needs tpm kernel module

Attached to Project: Arch Linux
Opened by Bálint Bokros (daboka) - Sunday, 04 April 2021, 15:27 GMT
Last edited by Christian Hesse (eworm) - Tuesday, 06 April 2021, 19:46 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Using the TPM2 unlocking support added in systemd 248[1], it is possible to unlock the root volume in initramfs using mkinitcpio and the sd-encrypt hook by adding `rd.luks.options=<UUID>=tpm2-device=auto` to the kernel cmdline (or having equivalent configuration in /etc/crypttab.initramfs). However, this configuration itself is not enough, as the kernel modules needed to communicate with the TPM2 chip are missing from the initramfs. This can be worked around by adding the necessary kernel module(s) to the MODULES array in /etc/mkinitcpio.conf. Please consider adding these module(s) automatically in the sd-encrypt hook.

Concrete example:
On my machine, `systemd-cryptenroll --tpm2-device=list` outputs the following:

PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crb

and adding tpm_crb to MODULES array was sufficient. Not sure if the similar tpm_{atmel,infineon,nsc,tis} ones listed here[2] would work in the same manner.

Additional info:
* package version(s)

cryptsetup 2.3.5-1
systemd 248-2
mkinitcpio 30-1

* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
* configure initramfs to unlock a LUKS2 volume using TPM2
* fail during boot

[1]: http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
[2]: https://wiki.archlinux.org/index.php/Trusted_Platform_Module#Drivers
This task depends upon

Closed by  Christian Hesse (eworm)
Tuesday, 06 April 2021, 19:46 GMT
Reason for closing:  Fixed
Additional comments about closing:  cryptsetup 2.3.5-4
Comment by Christian Hesse (eworm) - Monday, 05 April 2021, 23:13 GMT
Looks like we need either of both lines in sd-encrypt:

add_checked_modules "/drivers/char/tpm/"
add_all_modules "/drivers/char/tpm/"

Can you check if first line is sufficient and list what modules are added?
Comment by Christian Hesse (eworm) - Monday, 05 April 2021, 23:21 GMT
This /should/ be fixes with cryptsetup 2.3.5-4, please verify.
Comment by Bálint Bokros (daboka) - Tuesday, 06 April 2021, 19:21 GMT
Hello,

Thanks for the quick response!

With cryptsetup 2.3.5-2 and tpm_crb added to the MODULES array, the output of `lsinitcpio /boot/initramfs-linux.img | grep tpm` is

usr/lib/libtss2-tcti-swtpm.so
usr/lib/libtss2-tcti-swtpm.so.0
usr/lib/libtss2-tcti-swtpm.so.0.0.0
usr/lib/modules/5.11.11-arch1-1/kernel/asym_tpm.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_crb.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_key_parser.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm.ko

With cryptsetup 2.3.5-4 and no tpm_crb in the MODULES array, the output of `lsinitcpio /boot/initramfs-linux.img | grep tpm` is

usr/lib/libtss2-tcti-swtpm.so
usr/lib/libtss2-tcti-swtpm.so.0
usr/lib/libtss2-tcti-swtpm.so.0.0.0
usr/lib/modules/5.11.11-arch1-1/kernel/asym_tpm.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_crb.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_key_parser.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_tis_core.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_tis.ko

The two additional modules, tpm_tis and tpm_tis_core are loaded on my system anyways, `mkinitcpio -M` output contains tpm_tis as well.

The initramfs created with cryptsetup 2.3.5-4 and no tpm_crb in the MODULES array boots properly, so I can confirm that the change is sufficient for my setup, I believe it should work for users with different TPM2 chips as well.
Comment by Christian Hesse (eworm) - Tuesday, 06 April 2021, 19:46 GMT
Thanks for testing!

Loading...