| View previous topic :: View next topic |
| Author |
Message |
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
 Posted: Fri Nov 05, 2021 12:31 pm Post subject: [SOLVED] genkernel, cryptsetup and tpm2 |
 |
|
Hi all, I'm trying to do the following:
https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS
I'd like to use TPM 2.0 chip in my laptop (Precision 5510) to store unlock key for root partition.
Right now I have working setup with passphrase that I have to enter during boot. I'm using genkernel, systemd just as described in some article in Gentoo's wiki.
I can enroll crypto key on TPM2 chip:
| Code: | systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7 /dev/nvme0n1p6
Please enter current passphrase for disk /dev/nvme0n1p6: ***
New TPM2 token enrolled as key slot 1. |
But it isn't used during boot at all, I always get the prompt for passphrase. My grub options:
GRUB_CMDLINE_LINUX="crypt_root=UUID=abc rd.luks.uuid=abc rd.luks.options=abc=tpm2-device=auto rd.luks.crypttab=0 rootfstype=xfs i915.modeset=1 nvidia-drm.modeset=1 snd-hda-intel.power_save=1 nmi_watchdog=0 mitigations=off quiet init=/lib/systemd/systemd"
Is using genkernel and TPM2 possible at all? Can any of those options help me?
crypt_root_options=
root_keydev=
Last edited by mbar on Sat Nov 06, 2021 3:05 pm; edited 1 time in total |
|
| Back to top |
|
 |
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Sat Nov 06, 2021 1:05 am Post subject: |
|
|
I don't think it'll work with genkernel initramfs, but dracut should work.
To make it work with dracut, you'll need the current dracut - currently unstable, so you'll need to add it to packages.accept_keywords.
Create a new initramfs with the tpm2-tss module (dracut -a tpm2-tss) or add it to dracut config file.
Add rd.luks.options={UUID}=tpm2-device=auto (substitue the UUID for {UUID}) to the kernel command line.
When you next reboot, it should unlock the drive autoamtically |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
| Posted: Sat Nov 06, 2021 10:12 am Post subject: |
|
|
Well, it seems that dracut does not have TPM2 support, any chance to add this as a module?
| Code: |
2.3119261 precision systemd[1]: Finished Coldplug All udev Devices.
2.312782] precision systemd[1]: Starting dracut initqueue hook... 2.3539531 precision systemd[1]: Found device PM981 NVMe SED Samsung 512GB Rootfs.
2.3567331 precision systemd[1]: Found device PM981 NVMe SED Samsung 512GB Bootfs.
2.3659651 precision systemd[1]: Found device PM981 NVMe SED Samsung 512GB EFI\x20system\x28partition.
2.3687231 precision systemd[1]: Starting Cryptography Setup for root... 2.372737] precision systemd-cryptsetup[4941: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uid/6623853f-7ead-4f8f-8
2.3731881 precision systemd-cryptsetup[494]: Automatically discovered security TPM2 token unlocks volume.
2.3731531 precision systemd-cryptsetup[4941: TPM2 support is not installed.
2.3744551 precision systemd[11: systemd-cryptsetup@root.service: Main process exited, code-exited, status-1/FAILURE 2.3745631 precision systemd[11: systemd-cryptsetup@root.service: Failed with result 'exit-code".
2.3747651 precision systemd[11: Failed to start Cryptography Setup for root. 2.3933561 precision systemd[11: Dependency failed for Local Encrypted Volumes.
2.3934691 precision systemd[11: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency 2.3936481 precision systemd[1]: Reached target System Initialization.
2.3936791 precision systemd[11: Reached target Basic System. 2.393747) precision systemd[11: Reloading,
2.4895841 precision systemd-crypts tup-generator [5831: Not creating device 'root' because it was not specified on the kernel command line.
3.7778161 precision kernel: Bluetooth: hc18: Waiting for firmware download to complete
3.7773581 precision kernel: Bluetooth: heie: Firmware loaded in 1907238 usecs 3.7774461 precision kernel: Bluetooth: heie: Haiting for device to boot
|
EDIT:
I think I need dracut-9999 and enable tpm2-tss module due to the following bugs in 55 version:
https://github.com/dracutdevs/dracut/pull/1526
https://github.com/dracutdevs/dracut/issues/1542
Workaround description here: https://wiki.archlinux.org/title/User:Krin/Secure_Boot,_full_disk_encryption,_and_TPM2_unlocking_install
I'll try it later.
EDIT2:
Here's my problem:
| Code: | | dracut: dracut module 'tpm2-tss' will not be installed, because command 'tpm2' could not be found! |
And I think this is because:
| Code: | * app-crypt/tpm2-tools [ Masked ]
Latest version available: 5.2
Latest version installed: [ Not Installed ]
|
EDIT3:
Getting somewhere...
| Code: | | dracut: *** Including module: tpm2-tss *** |
|
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1991
Location: Poland
|
| Posted: Sat Nov 06, 2021 3:04 pm Post subject: |
|
|
| Solved, installing dracut and app-crypt/tpm2-tools helped. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Kernel & Hardware
