From f3e36e6de8415c7b6a33acac174bb63c124813ba Mon Sep 17 00:00:00 2001 From: Arseniy Romenskiy Date: Fri, 27 Mar 2026 22:17:26 +0300 Subject: [PATCH 1/2] clevis: add feature for TPM2-based LUKS unlock Add a new clevis feature that installs the tools and files required for TPM2-backed LUKS unlock in initrd. The feature is optional and is enabled explicitly through FEATURES. Signed-off-by: Arseniy Romenskiy --- features/clevis/README.md | 28 ++++++++++++++++++++++++++++ features/clevis/config.mk | 1 + features/clevis/rules.mk | 15 +++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 features/clevis/README.md create mode 100644 features/clevis/config.mk create mode 100644 features/clevis/rules.mk diff --git a/features/clevis/README.md b/features/clevis/README.md new file mode 100644 index 00000000..b2e46e99 --- /dev/null +++ b/features/clevis/README.md @@ -0,0 +1,28 @@ +# clevis + +The `clevis` feature adds optional support for Clevis-based LUKS unlock in +initrd. + +When this feature is enabled, the `luks` handler tries to unlock a LUKS device +with Clevis before falling back to the existing interactive passphrase prompt. + +If Clevis is not available in the image, or if Clevis-based unlock fails, the +existing password prompt logic is preserved. + +## Requirements + +This feature is intended to be used together with the `luks` feature. + +A Clevis-enabled LUKS device must be provisioned in advance on the installed +system, for example with TPM2 binding. + +For more information about Clevis see: + + +## Configuration + +Enable the feature by adding it to `FEATURES`: + +```make +FEATURES += clevis +``` diff --git a/features/clevis/config.mk b/features/clevis/config.mk new file mode 100644 index 00000000..46175f72 --- /dev/null +++ b/features/clevis/config.mk @@ -0,0 +1 @@ +$(call feature-requires, luks) diff --git a/features/clevis/rules.mk b/features/clevis/rules.mk new file mode 100644 index 00000000..1bb0e1a5 --- /dev/null +++ b/features/clevis/rules.mk @@ -0,0 +1,15 @@ +PUT_FEATURE_PROGS += \ + clevis \ + clevis-decrypt \ + clevis-decrypt-tpm2 \ + clevis-luks-unlock \ + clevis-pin-tpm2 \ + cryptsetup \ + jq \ + jose \ + tpm2_pcrread \ + tpm2_getcap + +PUT_FEATURE_FILES += /usr/bin/clevis-luks-common-functions + +PUT_FEATURE_LIBS += libtss2-tcti-device.so.0 From 6df541a89d203a3cd690bfd6b1f6a3596d625468 Mon Sep 17 00:00:00 2001 From: Arseniy Romenskiy Date: Fri, 27 Mar 2026 22:21:46 +0300 Subject: [PATCH 2/2] luks: try clevis unlock before prompting for passphrase When no keyfile is available and the volume is not activated, try clevis-based unlock before falling back to interactive passphrase entry. If clevis is unavailable or unlock fails, keep the existing password prompt logic unchanged. Signed-off-by: Arseniy Romenskiy --- features/luks/data/lib/uevent/handlers/085-luks | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/features/luks/data/lib/uevent/handlers/085-luks b/features/luks/data/lib/uevent/handlers/085-luks index 32ec2eb9..88b3f915 100755 --- a/features/luks/data/lib/uevent/handlers/085-luks +++ b/features/luks/data/lib/uevent/handlers/085-luks @@ -349,6 +349,17 @@ handler() { message "The keyfile was not found for partition: $LUKS_ROOT" rc=1 fi + if command -v clevis >/dev/null 2>&1; then + message "Сlevis detected." + message "Attempting to decrypt the partition using clevis luks..." + if [ "$rc" -ne 0 ] && shell_var_is_no "$luks_headless"; then + clevis luks unlock -d "$LUKS_ROOT" -n "$luks_volume" + rc="$?" + fi + if [ "$rc" -ne 0 ]; then + message "clevis could not decrypt!" + fi + fi if [ "$rc" -ne 0 ] && shell_var_is_no "$luks_headless"; then if shell_var_is_yes "$luks_empty_password"; then