Arch Linux

MxuZZt2FKrGxZbjD6MWgYd

Member

Registered: 2019-12-24

Posts: 3

[SOLVED] Binary added via custom initcpio hook not found

I've written a custom initcpio hook that should read a key file encrypted by my laptop's TPM, decrypt it via clevis, and pipe it into zfs load-key so ZFS can decrypt the root filesystem and continue with the booting process.

My custom hook /etc/initcpio/zfstpm is as follows

run_hook() {
	zpool import zroot
	clevis decrypt tpm2 {} < /zroot-enc.key.tpm2 | zfs load-key zroot/enc
}

And my install file /etc/initcpio/zfstpm

build() {
	add_module tpm
	add_binary clevis
	add_module zfs
	add_binary zfs
	add_binary zpool
	add_binary mount.zfs
	add_file /root/zroot-encfs.key.tpm2 /zroot-enc.key.tpm2

	add_runscript
}

But no matter how I try to run clevis in the hook, it keeps saying that it can't find clevis.
This is despite the fact that when I put some diagnostics in the hook, like so

run_hook() {
	zpool import zroot
	echo $PATH
	which clevis
	ls /sbin
	ls /usr/bin
	ls /bin
	clevis decrypt tpm2 {} < /zroot-enc.key.tpm2 | zfs load-key zroot/enc
}

I get /sbin/clevis for which clevis, and the ls /sbin very clearly shows that clevis is there.

/sbin and /usr/bin are symlinked to /usr/bin. I've tried running clevis via /sbin/clevis, /usr/bin/clevis, /bin/clevis, all to no avail.

I've also tried using lsinitcpio -a to look at the initramfs image, and it shows that I've added the clevis binary, and it exists under /usr/bin.

I cannot for the life of me figure out why it keeps saying the clevis binary does not exist, despite all the evidence to the contrary.

Any ideas?

Last edited by MxuZZt2FKrGxZbjD6MWgYd (2019-12-25 03:19:12)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,647

Re: [SOLVED] Binary added via custom initcpio hook not found

Some binaries do have dependencies that 'add_binary' is unable to resolve for you.

'clevis' in particular seems to be a shell script (bash really) wrapper that calls other shell script wrappers that call other shell scripts and commands. add_binary does not know that so they will be missing.

$ cd /usr/bin
$ for f in clevis*; do echo add_binary "$f"; done
add_binary clevis
add_binary clevis-decrypt
add_binary clevis-decrypt-sss
add_binary clevis-decrypt-tang
add_binary clevis-decrypt-tpm2
add_binary clevis-encrypt-sss
add_binary clevis-encrypt-tang
add_binary clevis-encrypt-tpm2
add_binary clevis-luks-bind
add_binary clevis-luks-unbind
add_binary clevis-luks-unlock

and some of these still have other dependencies (like jose). I'm not sure how deep the rabbit hole goes here, good luck figuring it out ;-P

oh and for tpm2 decrypt seems like you'll need /usr/bin/tpm* too

In a shell script you can use `set -x` to enable debugging and get more info where it fails. In other binaries you can use 'strace' to find out what's happening. Sometimes that shows you what it is looking for before failing.

Last edited by frostschutz (2019-12-25 00:16:40)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,647

Re: [SOLVED] Binary added via custom initcpio hook not found

random github search gave https://github.com/homepods/TPM2-initcpio - quite a lot simpler, no idea if it's suitable

MxuZZt2FKrGxZbjD6MWgYd

Member

Registered: 2019-12-24

Posts: 3

Re: [SOLVED] Binary added via custom initcpio hook not found

I got it working!

set -x was invaluable for determining which binaries I needed, thank you.

I also found https://github.com/electrickite/mkinitcpio-tpm2-encrypt to be quite helpful.

For anybody else who might be interested:

I needed to modify the hook file with

export TPM2TOOLS_TCTI="device:/dev/tpmrm0"

In the install file, I needed the modules

tpm_tis
tpm_crb

and the binaries

clevis
clevis-decrypt
jose
clevis-decrypt-tpm2
tpm2_createprimary
tpm2_unseal
tpm2_load
/usr/lib/libtss2-tcti-device.so.0 

Last edited by MxuZZt2FKrGxZbjD6MWgYd (2019-12-25 03:20:36)