Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#70285 - [cryptsetup] Unlocking LUKS2 volume with TPM2 in initramfs needs tpm kernel module
Attached to Project:
Arch Linux
Opened by Bálint Bokros (daboka) - Sunday, 04 April 2021, 15:27 GMT
Last edited by Christian Hesse (eworm) - Tuesday, 06 April 2021, 19:46 GMT
Opened by Bálint Bokros (daboka) - Sunday, 04 April 2021, 15:27 GMT
Last edited by Christian Hesse (eworm) - Tuesday, 06 April 2021, 19:46 GMT
|
DetailsDescription:
Using the TPM2 unlocking support added in systemd 248[1], it is possible to unlock the root volume in initramfs using mkinitcpio and the sd-encrypt hook by adding `rd.luks.options=<UUID>=tpm2-device=auto` to the kernel cmdline (or having equivalent configuration in /etc/crypttab.initramfs). However, this configuration itself is not enough, as the kernel modules needed to communicate with the TPM2 chip are missing from the initramfs. This can be worked around by adding the necessary kernel module(s) to the MODULES array in /etc/mkinitcpio.conf. Please consider adding these module(s) automatically in the sd-encrypt hook. Concrete example: On my machine, `systemd-cryptenroll --tpm2-device=list` outputs the following: PATH DEVICE DRIVER /dev/tpmrm0 MSFT0101:00 tpm_crb and adding tpm_crb to MODULES array was sufficient. Not sure if the similar tpm_{atmel,infineon,nsc,tis} ones listed here[2] would work in the same manner. Additional info: * package version(s) cryptsetup 2.3.5-1 systemd 248-2 mkinitcpio 30-1 * config and/or log files etc. * link to upstream bug report, if any Steps to reproduce: * configure initramfs to unlock a LUKS2 volume using TPM2 * fail during boot [1]: http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html [2]: https://wiki.archlinux.org/index.php/Trusted_Platform_Module#Drivers |
This task depends upon
Closed by Christian Hesse (eworm)
Tuesday, 06 April 2021, 19:46 GMT
Reason for closing: Fixed
Additional comments about closing: cryptsetup 2.3.5-4
Tuesday, 06 April 2021, 19:46 GMT
Reason for closing: Fixed
Additional comments about closing: cryptsetup 2.3.5-4
add_checked_modules "/drivers/char/tpm/"
add_all_modules "/drivers/char/tpm/"
Can you check if first line is sufficient and list what modules are added?
Thanks for the quick response!
With cryptsetup 2.3.5-2 and tpm_crb added to the MODULES array, the output of `lsinitcpio /boot/initramfs-linux.img | grep tpm` is
usr/lib/libtss2-tcti-swtpm.so
usr/lib/libtss2-tcti-swtpm.so.0
usr/lib/libtss2-tcti-swtpm.so.0.0.0
usr/lib/modules/5.11.11-arch1-1/kernel/asym_tpm.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_crb.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_key_parser.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm.ko
With cryptsetup 2.3.5-4 and no tpm_crb in the MODULES array, the output of `lsinitcpio /boot/initramfs-linux.img | grep tpm` is
usr/lib/libtss2-tcti-swtpm.so
usr/lib/libtss2-tcti-swtpm.so.0
usr/lib/libtss2-tcti-swtpm.so.0.0.0
usr/lib/modules/5.11.11-arch1-1/kernel/asym_tpm.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_crb.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_key_parser.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_tis_core.ko
usr/lib/modules/5.11.11-arch1-1/kernel/tpm_tis.ko
The two additional modules, tpm_tis and tpm_tis_core are loaded on my system anyways, `mkinitcpio -M` output contains tpm_tis as well.
The initramfs created with cryptsetup 2.3.5-4 and no tpm_crb in the MODULES array boots properly, so I can confirm that the change is sufficient for my setup, I believe it should work for users with different TPM2 chips as well.