You are not logged in.
Pages: 1
Hello, I have setup a BTRFS root partition with luks and enrolled the TPM2 keys via systemd-cryptenroll following this https://wiki.archlinux.org/title/dm-cry … ecure_Boot which initially works but after a few reboots refuses to work, i.e starts asking for a password again.
Here are the enrolled slots for my root partiton
SLOT TYPE
0 password
1 recovery
2 tpm2
I can fix this issue by remove slot 1 and 2 and then re enrolling TPM2 which subsequently breaks after a few reboots, i tried early loading tpm_crb module which is utilized in my TPM module but since that's built in i cant early load it aswell.
Here is my mkinitcpio hooks
HOOKS=(base systemd plymouth udev autodetect microcode modconf kms keyboard keymap consolefont block sd-vconsole sd-encrypt openswap resume filesystems fsck)
I am generating a UKI for secure boot purposes aswell.
Last edited by crackedpotato (2024-04-11 09:10:24)
Offline
What is openswap? That's not a standard hook.
Besides, you don't need the udev hook if you have systemd in there.
Last edited by swsnr (2024-04-11 09:24:10)
Offline
What is openswap? That's not a standard hook.
Besides, you don't need the udev hook if you have systemd in there.
Removed udev hook, openswap is a custom hook i wrote to decrypt my swap partition from here https://wiki.archlinux.org/title/Dm-cry … encryption
Offline
How does this hook look like precisely? Does it call cryptsetup on its own?
Offline
How does this hook look like precisely? Does it call cryptsetup on its own?
Yes it does, sorry but I don't get how that could be an issue? Since the password prompt says "cryptroot"
Offline
I don't know either, and can't say, since you've not shown it yet.
But it's the one nonstandard thing in your initramfs, and it just so happens to also interact with cryptsetup. And presumably it does so in a traditional runtime hook, and not as a systemd unit, so it's a prime contender for a race condition.
You can try running your initramfs with debug logging enabled, or try without your custom hook for a while and see if it fixes things.
Last edited by swsnr (2024-04-11 10:46:59)
Offline
I don't know either, and can't say, since you've not shown it yet.
But it's the one nonstandard thing in your initramfs, and it just so happens to also interact with cryptsetup. And presumably it does so in a traditional runtime hook, and not as a systemd unit, so it's a prime contender for a race condition.
You can try running your initramfs with debug logging enabled, or try without your custom hook for a while and see if it fixes things.
>ou can try running your initramfs with debug logging enabled
How would this be?
>or try without your custom hook for a while and see if it fixes things.
Tried, it doesnt.
Offline
I found this in my dmesg
systemd-tpm2-setup-early.service: Failed to load configuration: No such file or directory
Offline
Not related, re enrolling the tpm key and getting the decryption working has the same thing in dmesg
Offline
To enable debug logging use the corresponding systemd kernel parameters, see wiki or systemd documentation.
How do you enroll the TPM keys? Specifically, what PCRs do you bind the key to?
Offline
To enable debug logging use the corresponding systemd kernel parameters, see wiki or systemd documentation.
How do you enroll the TPM keys? Specifically, what PCRs do you bind the key to?
Default PCR so should be 7, enrolled via systemd-cryptenroll, Following this https://wiki.archlinux.org/title/systemd-cryptenroll.
I have set the kernel `debug` parameter
Offline
So what does the journal show in early boot when it fails to unlock?
Offline
So what does the journal show in early boot when it fails to unlock?
Ill get back to you, i re enrolled the key so its working for now but it *should* break soon.
Offline
Could it be due to me not wiping my password slot? The guide uses a empty encryption password and wipes the slot but since i type a password in it didn't wipe it for me, i could manually wipe it but could that be it?
Offline
I've used TPM2 slots in combination with other slot types (recovery keys and passphrases) in the past, and I'm pretty sure you don't need to wipe the passphrase slot.
Offline
I've used TPM2 slots in combination with other slot types (recovery keys and passphrases) in the past, and I'm pretty sure you don't need to wipe the passphrase slot.
Huh that's weird. So i am in contact with another person with a similar setup and apparently they dont receive the same thing in dmesg, DO note i do have that service and its running.
Offline
Pages: 1