| View previous topic :: View next topic |
| Author |
Message |
rogerroger
n00b
Joined: 24 May 2023
Posts: 8
|
 Posted: Sat Jun 08, 2024 1:56 pm Post subject: Automatic decryption of root volume stopped working |
 |
|
After updating my kernel from version 6.8.12 my root volume will no longer decrypt automatically. I've tried swapping the version of the kernel/efi file with a emerge --config sys-kernel/gentoo-kernel-bin and swapping out the versions (tried 6.8.10, 6.8.12, 6.9.2, 6.9.3). Neither 6.9 version works.
I'm using a bit of a custom setup with clevis binding the key to the tpm, booster to generate the initramfs and to automatically get the key on boot and decrypt my root volume and sbctl to create and bundle the final efi. This setup has worked without any issues for the last year. I've already tried rebinding the key in case something about my efi vars changed or similar but it didn't make a difference. Just changing the kernel version makes things work/break.
How would I best go about figuring out why this is happening? |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22601
|
| Posted: Sat Jun 08, 2024 4:57 pm Post subject: |
|
|
As I understand the typical use of TPMs, this is expected and desirable. You changed out the kernel, so when the kernel is measured into the TPM, you get the wrong measurement, and the TPM refuses to provide the key.
You wrote that you tried rebinding the key. What exactly did you do here? |
|
| Back to top |
|
|
rogerroger
n00b
Joined: 24 May 2023
Posts: 8
|
| Posted: Sat Jun 08, 2024 7:23 pm Post subject: |
|
|
The command used to regenerate the key was
| Code: | | clevis luks regen -d /dev/nvme0n1p3 -s 1 |
.
I rebuild the efi file and sign it automatically after every update. This has never been an issue until now.
The key is bound against registers 1,2,3 and 7 which correspond to
- Host platform configuration
- UEFI driver and application code
- UEFI driver and application configuration
- Secure boot policy
(see https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf 2.3.4)
This excludes boot loader configuration such as which kernel is booted.
To give a bit more info my setup looks a bit like this:
- portage updates gentoo-kernel-bin
- installkernel does my config bits:
- booster generates an initramfs
- sbctl creates an efi bundle
- sbctl signes said efi bundle
This mostly mirrors my old setup I had on archlinux and worked for previous updates. As the only thing changing between working and broken being the kernel version used I don't belive anything else in my setup is wrong.
So emerge --config '=sys-kernel/gentoo-kernel-bin-6.8.12' works, while emerge --config '=sys-kernel/gentoo-kernel-bin-6.9.3' doesn't work. |
|
| Back to top |
|
|
rogerroger
n00b
Joined: 24 May 2023
Posts: 8
|
| Posted: Sun Jun 09, 2024 2:12 pm Post subject: |
|
|
I went with the assumption that something about the kernel config changed recently and built the 6.9.2 kernel with the 6.8.12 config and my system unlocks normally again.
I executed the following command in /usr/src and installed gentoo-kernel-6.9.2.
| Code: |
diff --changed-group-format="%>" --unchanged-group-format="" linux-6.9.3-gentoo-dist/.config linux-6.8.12-gentoo-dist/.config | sudo tee /etc/kernel/config.d/50-test.config
|
I'm assuming one of those options needs to be enabled for this to work. What should my next step be? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22601
|
| Posted: Sun Jun 09, 2024 3:30 pm Post subject: |
|
|
| I suggest examining the help text for those options to see if any sound relevant to your problem. If not, then the next step would be to speculatively enable part of them, test, then either enable or disable as appropriate until you have bisected down to the specific option. |
|
| Back to top |
|
|
rogerroger
n00b
Joined: 24 May 2023
Posts: 8
|
| Posted: Sun Jul 07, 2024 6:59 pm Post subject: |
|
|
I spent a lot of time trying out different options but it either always worked or never worked.
Turns out that gentoo-kernel and gentoo-kernel-bin don't use the same config options and some of them are related to my issue...
In the end I gave up for now and after some fiddling got a working solution with dracut (did you know that you need to install dracut before clevis for the necessary modules to get installed? I didn't).
I'm just gonna assume that this is bug is on booster and will look deeper into it in the future  |
|
| Back to top |
|
|
Princess Nell
l33t
Joined: 15 Apr 2005
Posts: 925
|
| Posted: Tue Aug 06, 2024 10:48 pm Post subject: |
|
|
| Apologies for the completely unrelated question - have you tried NBDE with this setup? I looked at this a while back but couldn't figure out how to add support for OpenRC into the vanilla code. I was definitely not aware we have an overlay with tang and clevis and tried to roll my own. |
|
| Back to top |
|
|
|
Kernel & Hardware
