You are not logged in.
I have my root partition encrypted using LUKS and systemd-cryptenroll with a tpm key, but the key isn't released so I manually have to enter my recovery key each time. Any ideas?
I'll post logs later today (I don't have access to that laptop right now).
A summary of the setup:
Efi partition with UKI
LUKS partition mounted using systemd gpt partition automounting
PCR 7+8 checked before decryption
Sbctl used for secure boot
I've tried early loading the tpm kernel module (tpm_tis iirc) and I've had no success so far. Also tried re-enrolling decryption keys. All files in EFI partition are signed and there are no other boot issues, meaning it isn't an issue with secure boot most likely (and it's definitely not in secure boot setup mode, I've enrolled keys). Possibly an issue with sbctl?
Last edited by Retr0r0cket (2024-02-20 21:12:01)
Offline
Just to be sure, have you taken care of kernel parameters, or put the necessary line in /etc/crypttab.initramfs, as described here https://wiki.archlinux.org/title/Dm-cry … FIDO2_keys ?
And added sd-encrypt to your mkinitcpio hooks?
Offline
Added sd-encrypt, and I don't actually need any parameters due to systemd gpt partition automounting (so it knows which partition at a minimum). It has worked before so I don't know why this install it just refuses to work. It still unlocks when I provide a password, but not with the key sealed in the TPM.
Last edited by Retr0r0cket (2024-02-20 22:22:10)
Offline
Then you probably know more than me about this
Anyway, my reading of the various relevant systemd-* manpages made me believe that you would need to tell it somewhere that you want to decrypt by using a TPM, whether that happens on the kernel command line or /etc/crypttab or so. So I don't know if and how it works together with gpt automounting.
Again, if you had it working with gpt automounting, you know more than me.
Offline
Again, if you had it working with gpt automounting, you know more than me.
Not enough to get systemd-cryptenroll to cooperate lol
Offline
Ok so I was able to take a look at the journal and I'm seeing two things:
1. "systemd-cryptsetup[249]: No valid TPM2 token data found."
2. While it knows there is a TPM2 key to unlock the volume, it fails to unseal due to the operation not being permitted (maybe some PCR thing?)
I've tried changing the PCRs I use so I'm quite confused and I know I have secure boot set up (I had to manually sign my entire ventoy usb). It also does this for every btrfs subvol I try to mount. Any ideas?
Tried a fresh install and can confirm for certain GPT partition automounting is not causing an issue.
Last edited by Retr0r0cket (2024-02-25 20:21:42)
Offline
Apparently resetting the TPM LUKS key worked even though it didn't beforehand. I still have this issue come up every once in a while tho which is odd, but at least it's solved-ish
Offline