Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dracut fails to unlock LUKS device with TPM2 (missing cryptsetup plugins?) #1676

Closed
swsnr opened this issue Dec 27, 2021 · 0 comments · Fixed by #1677
Closed

dracut fails to unlock LUKS device with TPM2 (missing cryptsetup plugins?) #1676

swsnr opened this issue Dec 27, 2021 · 0 comments · Fixed by #1677
Labels
bug Our bugs

Comments

@swsnr
Copy link

swsnr commented Dec 27, 2021

Describe the bug
I have a LUKS-encrypted rootfs with a TPM2 key, setup with systemd-cryptenroll:

$ systemd-cryptenroll /dev/disk/by-partlabel/linux
SLOT TYPE    
   0 tpm2
   1 password
   2 recovery

I've got add_dracutmodules+=" tpm2-tss " in my configuration to ensure that tpm2 support is included.

I expected dracut to unlock this device automatically, without any password prompt, but it didn't; I still got a password prompt. A debug log revealed that a cryptsetup library is missing (per journalctl -b):

Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: /usr/lib/cryptsetup/libcryptsetup-token-systemd-recovery.so: cannot open shared object file: No such file or directory
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: Trying to load /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so.
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so: cannot open shared object file: No such file or directory
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: Token activation unsuccessful for device /dev/disk/by-uuid/9ba7b204-e7f5-4e93-9daa-651d8a0b5ba8: No such file or directory
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/9ba7b204-e7f5-4e93-9daa-651d8a0b5ba8.
Dez 27 22:17:07 bastis-kastl systemd-udevd[288]: sdhci_pci: Device processed (SEQNUM=2231, ACTION=add)
Dez 27 22:17:07 bastis-kastl systemd-udevd[288]: sdhci_pci: sd-device-monitor: Passed 131 byte to netlink monitor
Dez 27 22:17:07 bastis-kastl systemd-udevd[266]: sdhci_pci: sd-device-monitor: Passed 131 byte to netlink monitor
Dez 27 22:17:07 bastis-kastl systemd-udevd[266]: libps2: Device is queued (SEQNUM=2232, ACTION=add)
Dez 27 22:17:07 bastis-kastl systemd-udevd[266]: libps2: Device ready for processing (SEQNUM=2232, ACTION=add)
Dez 27 22:17:07 bastis-kastl systemd-udevd[288]: libps2: Processing device (SEQNUM=2232, ACTION=add)
Dez 27 22:17:07 bastis-kastl systemd-udevd[267]: 0000:00:1e.6: sd-device: Created db file '/run/udev/data/+pci:0000:00:1e.6' for '/devices/pci0000:00/0000:00:1e.6'
Dez 27 22:17:07 bastis-kastl systemd-udevd[267]: 0000:00:1e.6: Device processed (SEQNUM=2229, ACTION=bind)
Dez 27 22:17:07 bastis-kastl systemd-udevd[267]: 0000:00:1e.6: sd-device-monitor: Passed 521 byte to netlink monitor
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: Activating volume linux using token (systemd-tpm2 type) -1.
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: dm versions   [ opencount flush ]   [16384] (*1)
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: dm status linux  [ opencount noflush ]   [16384] (*1)
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: Token 1 unusable for segment 0 with desired keyslot priority 2.
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: Trying to load /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so.
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so: cannot open shared object file: No such file or directory
Dez 27 22:17:07 bastis-kastl systemd-cryptsetup[334]: No TPM2 metadata enrolled in LUKS2 header or TPM2 support not available, falling back to traditional unlocking.

It looks as if /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so is missing, and indeed I can fix this problem by adding

install_items+=" /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so "

to my dracut configuration and regenerating the initramfs; the password prompt's gone and the rootfs gets unlocked with TPM2:

Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Successfully created ECC primary key on TPM.
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Generating primary key on TPM2 took 75ms.
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Loading HMAC key into TPM.
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Unsealing HMAC key.
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Completed TPM2 key unsealing in 5.419236s.
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Trying to open keyslot 0 with token 1 (type systemd-tpm2).
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Trying to open LUKS2 keyslot 0.
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Running keyslot key derivation.
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Reading keyslot area [0x8000].
Dez 27 22:29:40 bastis-kastl systemd-cryptsetup[316]: Acquiring read lock for device /dev/gpt-auto-root-luks.

Distribution used
Arch Linux

Dracut version

$ dracut --version
dracut 055-106-g813577e2

I presume the following versions are also relevant here:

$ cryptsetup --version
cryptsetup 2.4.2
$ systemctl --version
systemd 250 (250-1-arch)
[…]

Init system
systemd

To Reproduce
Make a standard LUKS-encrypted rootfs, and then add a TPM2 bound key with systemd-cryptenroll /dev/<rootfs> --tpm2-device=auto.

Expected behavior
I expected no password prompt at boot to unlock rootfs, because it should get unlocked by TPM.

Additional context

install_items+=" /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so "

in the dracut configuration fixes this.

I can make a pull request to fix this but I'm not sure which module this file would belong to?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Our bugs
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant