Arch Linux

7thCore

Member

Registered: 2018-06-09

Posts: 65

Setup clevis with tang on systemd based initramfs

I've been trying to get clevis working with a server, so when the server reboots or boots up and it detects the tang server on my network it auto unlocks all the encrypted drives. The luks encrypted drives are set in the systemd-boot entry under options. I've been unlocking them at boot like this for a few years now:

title Arch Linux
sort-key archlinux-10
linux /installs/active/arch/vmlinuz-linux
initrd /installs/active/arch/amd-ucode.img
initrd /installs/active/arch/initramfs-linux.img
options luks.name=61946056-0cb4-443a-a055-1b38dffecf5a=crypt_luks0 luks.name=8a9c2304-75a7-48d5-a7bf-c8b6e06a66cb=crypt_luks1 luks.name=fd9a7d64-58c2-41f5-a745-239257495177=crypt_luks2 root=UUID=95ed4d5b-e51d-46ad-b505-c9587446244e rootflags=subvol=_active/root-arch resume=UUID=9a7fa996-cfb6-4789-b3d3-ae0d602cdf05 rw

The tang server is curenty on a temporary raspberry pi and i have bind clevis to them with the following command

clevis luks bind -d /dev/sda2 tang '{"url": "http://ip-of-tang-server"}'

I've been following this guide but I found out that this solution sadly doesn't work with systemd based initramfs.

I'm using mkinitcpio-systemd-extras to get systemd-networkd working on early boot with the same static IP the system has when it's running normaly. My current mkinitcpio hooks are as follows:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-network clevis sd-encrypt lvm2 resume btrfs filesystems fsck)

I've also tried with mkinitcpio-netconf and mkinitcpio-nfs-utils to get the net hook working but I had no success.

Any advice on what to try next? Is there any clevis hook for systemd based initramfs available anywhere? Or am I missing something?

Any help is appreciated.

Last edited by 7thCore (2023-09-04 14:05:36)

---

[ Arch x86_64 | linux | Asus Prime X570-Pro | AMD Ryzen 9 5900X @4,8Ghz | AMD RX580 | 32GB RAM DDR4 | Main, 2 Monitors ]
[ Arch x86_64 | linux | Asus Pro WS X570-Ace | AMD Ryzen 9 5950X @4,9Ghz | Intel A750 | 128GB RAM DDR4 | Server ]

The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it.

AlphaJack

Member

Registered: 2019-05-23

Posts: 8

Re: Setup clevis with tang on systemd based initramfs

Hi, were you able to fix this? I would like to replicate this setup for my server

7thCore

Member

Registered: 2018-06-09

Posts: 65

Re: Setup clevis with tang on systemd based initramfs

Sadly no. I gave up trying. I poke around every now and then tho. But I still haven't found anything.

---

[ Arch x86_64 | linux | Asus Prime X570-Pro | AMD Ryzen 9 5900X @4,8Ghz | AMD RX580 | 32GB RAM DDR4 | Main, 2 Monitors ]
[ Arch x86_64 | linux | Asus Pro WS X570-Ace | AMD Ryzen 9 5950X @4,9Ghz | Intel A750 | 128GB RAM DDR4 | Server ]

The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it.

tobiasquinn

Member

Registered: 2010-12-26

Posts: 12

Re: Setup clevis with tang on systemd based initramfs

I actually found a way of getting this to work with a tang server running in podman on a rpi using a direct ethernet cable connection and static ips (but should work with other ethernet connection types).

For reference below the tang server is 172.16.0.101, the desktop to boot is at 172.16.0.100.

My setup is to have the rpi at static ip address and port - eg. 

http://172.16.0.101:8080

I generated the tang crypsetup for luks in the usual way -

clevis luks bind -d /dev/nvme0n1p2 tang '{"url":"http://172.16.0.101:8080"}'

I installed the mkinitcpio-clevis-hook which while it says that it is for tpm2 unlocking will also work for tang unlocking.

For the /etc/mkinitcpio.conf setup I included the module my ethernet card uses in the MODULES list.

I also added

/usr/bin/curl

to the BINARIES section for the clevis/tang unlocking.

To actually setup the network I made a custom hook (my ethernet card at boot appears as eth0 but is enp11s0 once booted)

/etc/initcpio/hooks/tangnetwork

#!/usr/bin/ash
run_hook() {
    ip link set dev eth0 up
    ip addr add 172.16.0.100/24 dev eth0
}

/etc/initcpio/install/tangnetwork

#!/bin/bash
build() {
    add_runscript
}
help() {
    cat <<HELPEOF
This hook sets up ethernet with a static IP to reach the tang server.
HELPEOF
}

My complete HOOKS= line looks like this:

HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block tangnetwork clevis encrypt filesystems resume fsck)

With this setup, when the server is present the system will boot without needing a passphrase, when the server is not present it times out and asks for a passphrase.

JaimydeBree

Member

Registered: Today

Posts: 1

Re: Setup clevis with tang on systemd based initramfs

You can also use the "net" hook before Clevis with DHCP and DNS if you add the following to the file '/usr/lib/initcpio/hooks/net':

        echo nameserver "$IPV4DNS0" > /etc/resolv.conf
        echo nameserver "$IPV4DNS1" >> /etc/resolv.conf

After line 35, this way curl can resolve a DNS name, and connect to the Tang-server.

Also, you can add the following to the end of the file:

run_cleanuphook ()
{
    /sbin/ip addr flush dev eth0
    /sbin/ip link set down eth0
    /sbin/ip link set down lo
}

This will reset the network interface before continue booting, else the interface will appear in NetworkManager.