You are not logged in.
- Topics: Active | Unanswered
#1 2021-04-04 19:07:25
- torrenator
- Member
- Registered: 2020-11-08
- Posts: 8
systemd 248: Unlocking LUKS root parition with TPM2 systemd-cryptenrol
This is almost similar to the post in https://bbs.archlinux.org/viewtopic.php?id=265134 but this is regarding TPM2.
So I have managed to successfully use TPM2 with a second LUKS partition. But I also want it to be able to unlock my root-partition with the same method.
What I have done so far is the following:
systemd-cryptenroll /dev/nvme0n1p2 --tpm2-device=auto --tpm2-pcrs=7And then created a /etc/crypttab.initramfs according to the post and the mkinitcpio -H sd-encrypt command with the following contents
cryptroot /dev/nvme0n1p2 - tpm2-device=autoMy mkinitcpio.conf is as follows. Notice that I have tried to do something with the binaries and files.
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=()
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=(/usr/lib/libtss2-tcti-swtpm.so)
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=(/etc/crypttab.initramfs)
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base systemd udev autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems keyboard fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()And my systemd-boot entry looks like this
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=805fd5b0-d230-4c15-8fd8-88c651ccd12f=cryptroot rd.luks.options=tpm2-device=auto root=/dev/mapper/cryptroot rwSo with this configuration, when i boot into the entry it gets stuck at waiting for cryptsetup to do its business.
Offline
#2 2021-04-04 19:18:35
- jonathon
- Member
- Registered: 2016-09-19
- Posts: 128
Re: systemd 248: Unlocking LUKS root parition with TPM2 systemd-cryptenrol
Looks like this: https://bugs.archlinux.org/task/70285
On my machine, `systemd-cryptenroll --tpm2-device=list` outputs the following:
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crband adding tpm_crb to MODULES array was sufficient. Not sure if the similar tpm_{atmel,infineon,nsc,tis} ones listed here[2] would work in the same manner.
Offline
#3 2021-04-04 21:32:09
- torrenator
- Member
- Registered: 2020-11-08
- Posts: 8
Re: systemd 248: Unlocking LUKS root parition with TPM2 systemd-cryptenrol
Running the command shows I should add tpm_tis as a module. However it does not seem to have any positive result for me. When booting, i get the question to insert a password which is different.
Offline
#4 2021-04-04 22:03:23
- anatolik
- Developer
- Registered: 2012-09-27
- Posts: 458
Re: systemd 248: Unlocking LUKS root parition with TPM2 systemd-cryptenrol
Not answering your question directly, but you can achieve the same type of encryption model with booster + clevis with tpm2 binding: https://wiki.archlinux.org/index.php/Booster
Booster decrypts the root partition only though.
Read it before posting http://www.catb.org/esr/faqs/smart-questions.html
Ruby gems repository done right https://bbs.archlinux.org/viewtopic.php?id=182729
Fast initramfs generator with security in mind https://wiki.archlinux.org/index.php/Booster
Offline
#5 2021-04-13 08:38:47
- Han Vinke
- Member
- Registered: 2017-02-18
- Posts: 20
Re: systemd 248: Unlocking LUKS root parition with TPM2 systemd-cryptenrol
@torrenator
Firstly I would check your mkinitcpio hooks. What is doing udev there? Something went wrong copying? 
Offline
#6 2021-04-13 17:40:05
- torrenator
- Member
- Registered: 2020-11-08
- Posts: 8
Re: systemd 248: Unlocking LUKS root parition with TPM2 systemd-cryptenrol
@Han Vinke
Since yesterday I have it working. I think there was a systemd update that must have fixed something. There now is a wiki section dedicated to systemd-cryptenroll as well. https://wiki.archlinux.org/index.php/Tr … ryptenroll
Offline
#7 2021-04-15 07:14:20
- Han Vinke
- Member
- Registered: 2017-02-18
- Posts: 20
Re: systemd 248: Unlocking LUKS root parition with TPM2 systemd-cryptenrol
@torrenator
Glad it worked for you! Maybe you did a 'sudo bootctl update' by accident? It is important after a new version of systemd-boot.
//edit: info is in https://wiki.archlinux.org/index.php/systemd-boot
BTW, I had my share of problems too. Also had to input the password. In my journalctl there was the message: ccp 0000:0e:00.1: ccp: unable to access the device: you might be running a broken BIOS.
Probably I needed to install the cryptodev-linux module. //edit: correction. CONFIG_CRYPTO_DEV_SP_CCP=y is configured in the kernel.
Not hijacking this thread, you can close the ticket if you wish.
Last edited by Han Vinke (2021-04-26 14:36:32)
Offline