cryptsetup: Fallback to password if TPM unlock fails

[daenney]

Is your feature request related to a problem? Please describe.
I used the new 248 features to set up my disk so that it can be unlocked by my TPM (thank you for this by the way, it's brilliant).

However, there are cases where the disk can't be unlocked by the TPM (a BIOS change happened) or where it can't unlock at all because the tpm module wasn't included in the initrd (this is how I found out).

Describe the solution you'd like
When it can't unlock using the TPM, fall back to prompting for the password.

Describe alternatives you've considered
Right now I generate a second EFI image without rd.luks.options=tpm2-device=auto that I can boot in such scenarios. Looking through https://www.freedesktop.org/software/systemd/man/crypttab.html#Key%20Acquisition it doesn't seem I can configure it to also prompt?

The systemd version you checked that didn't have the feature you are asking for
248

[poettering]

Hmm, this should actually already be the case: if any of the fancier mechanisms fail we'll fallback to asking for a pw. If this doesn't work, then this is a bug.

Any chance you can reproduce this and provide the logs when this fails?

Or i this just a duplicate of #19177? i.e. the fail-over doesn't appear to work in case TPM2 support is compiled out (or the TPM2 libs missing at runtime).

[Tblue]

For me, when unlocking with FIDO2 fails, I get dropped into a rescue shell after the timeout for unlocking expires. Will try to get logs this evening.

[poettering]

@Tblue the original reporter talked about TPM2 though, not FIDO2. But I take it then that the fallback path for FIDO2 is hosed too then, for you? maybe open a separate issue about that, and paste your logs there. Otherwise this will get too confusing. Let's focus on the TPM2 codepaths only in this issue.

[daenney]

It looks indeed like the fallback not working was due to the missing tpm_crb module in my case. I've tried to reproduce it, and I can't anymore. So it's a dupe of #19177. If systemd is compiled with +TMP2 but the library isn't available at runtime the fallback doesn't trigger.

For completeness sake, my TPM is enrolled with registers 0, 2 and 7. I rebooted into my BIOS, disabled SecureBoot, rebooted and I now did get prompted for the password.

[poettering]

It looks indeed like the fallback not working was due to the missing tpm_crb module in my case. I've tried to reproduce it, and I can't anymore. So it's a dupe of #19177. If systemd is compiled with +TMP2 but the library isn't available at runtime the fallback doesn't trigger.

Hmm, so #19177 is different: it's about tpm2 support not being compiled into the systemd version. But in your case the driver was missing, but system had support for tpm2, right?

I guess we need to cover both cases properly, hence reopened this.

Any chance you can get me the precise logs you saw? i.e. i am kinda curious about the precise error code you got.

[daenney]

Sorry for the delayed response, life took over for a bit.

I must confess I'm no longer to reproduce this. I don't know if this was a pebkac issue in failing to rebuild my initramfs, or if the additional changes to the cryptsetup and systemd packages in Arch had anything to do with it. I would love to figure that out b/c I feel slightly insane now, but I lack the time to do so.

Short of anyone else still experiencing this I think it's safe to close this.

[poettering]

OK, let's close this then.

[radupotop]

Apologies for reviving this. When having a FIDO2 token set up, unlocking still fails to fallback to a password input prompt when the token is missing. Is there any bug report I can add details to? Cheers.

[daenney]

Apologies for reviving this. When having a FIDO2 token set up, unlocking still fails to fallback to a password input prompt when the token is missing. Is there any bug report I can add details to? Cheers.

I don't think there's an issue for this. I have the same thing, but given the TPM fallback appears to work I've avoided raising an issue for it b/c I'm sort of assuming there's a problem with my initramfs right now. Since there's at least 2 of us, it's probably worth raising an issue about it.

[MaxRink]

well, ive just tried that out myself on an manjaro system with 248.2 and had the same behaviour of it not falling back to a password promt if no fido key is present.
I was able to just hot-plug the key, press it and the boot continued on normally afterwards. Before that it was stuck on setting up the cryptdevice without any error msg.

[daenney]

This issue is about TPM, not FIDO2 security keys. I'd suggest opening a separate issue for that and using the instructions in https://freedesktop.org/wiki/Software/systemd/Debugging/#diagnosingbootproblems (the "If you can get a shell section) attach a log to the report.

[keszybz]

See #19872 for fido2 instead.

[gjvnq]

I recently had a very similar if not identical problem. The boot process didn't ask for the LUKS password but tried to fallback to a recovery shell however they seem to be disabled on Arch Linux.

When I managed to boot, I looked into the old logs and found:

Feb 25 00:55:49 archlinux kernel: Linux version 5.15.24-2-lts (linux-lts@archlinux) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.38) #1 SMP Mon, 21 Feb 2022 06:30:12 +0000
Feb 25 00:55:49 archlinux kernel: Command line: root=UUID=10█████-███-████-████-█████████5b rootflags=subvol=/@arch1 rw usbcore.autosuspend=30 quiet splash
...
Feb 25 00:55:49 archlinux systemd[1]: systemd 250.3-4-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC >
...
Feb 25 00:55:49 archlinux systemd[1]: Starting Cryptography Setup for ssd-main-pv...
Feb 25 00:55:49 archlinux kernel: device-mapper: uevent: version 1.0.3
Feb 25 00:55:49 archlinux kernel: device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
Feb 25 00:55:49 archlinux systemd-cryptsetup[375]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/66█████-███-████-████-█████████21.
Feb 25 00:55:49 archlinux systemd-cryptsetup[375]: ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
Feb 25 00:55:49 archlinux systemd-cryptsetup[375]: Failed to initialize TCTI context: tcti:IO failure
Feb 25 00:55:49 archlinux systemd[1]: systemd-cryptsetup@ssd\x2dmain\x2dpv.service: Main process exited, code=exited, status=1/FAILURE
Feb 25 00:55:49 archlinux systemd[1]: systemd-cryptsetup@ssd\x2dmain\x2dpv.service: Failed with result 'exit-code'.
Feb 25 00:55:49 archlinux systemd[1]: Failed to start Cryptography Setup for ssd-main-pv.
Feb 25 00:55:49 archlinux systemd[1]: Dependency failed for Local Encrypted Volumes.
Feb 25 00:55:49 archlinux systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'.
Feb 25 00:55:49 archlinux audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-cryptsetup@ssd\x2dmain\x2dpv comm="systemd" exe="/init" hostname=? addr=? terminal=? res=failed'
...
Feb 25 00:57:19 archlinux systemd[1]: dev-disk-by\x2duuid-1010█████\x2███\x2████\x2████\x2█████████5b.device: Job dev-disk-by\x2duuid-1010█████\x2███\x2████\x2████\x2█████████5b.device/start timed out.
Feb 25 00:57:19 archlinux systemd[1]: Timed out waiting for device /dev/disk/by-uuid/10█████-███-████-████-█████████5b.
Feb 25 00:57:19 archlinux systemd[1]: Dependency failed for File System Check on /dev/disk/by-uuid/10█████-███-████-████-█████████5b.
Feb 25 00:57:19 archlinux systemd[1]: Dependency failed for /sysroot.
Feb 25 00:57:19 archlinux systemd[1]: Dependency failed for Initrd Root File System.
Feb 25 00:57:19 archlinux systemd[1]: Dependency failed for Reload Configuration from the Real Root.
Feb 25 00:57:19 archlinux systemd[1]: initrd-parse-etc.service: Job initrd-parse-etc.service/start failed with result 'dependency'.
Feb 25 00:57:19 archlinux systemd[1]: initrd-parse-etc.service: Triggering OnFailure= dependencies.
Feb 25 00:57:19 archlinux systemd[1]: initrd-root-fs.target: Job initrd-root-fs.target/start failed with result 'dependency'.
Feb 25 00:57:19 archlinux systemd[1]: initrd-root-fs.target: Triggering OnFailure= dependencies.
Feb 25 00:57:19 archlinux systemd[1]: sysroot.mount: Job sysroot.mount/start failed with result 'dependency'.
Feb 25 00:57:19 archlinux systemd[1]: systemd-fsck-root.service: Job systemd-fsck-root.service/start failed with result 'dependency'.
Feb 25 00:57:19 archlinux systemd[1]: Dependency failed for Initrd Root Device.
Feb 25 00:57:19 archlinux systemd[1]: initrd-root-device.target: Job initrd-root-device.target/start failed with result 'dependency'.
Feb 25 00:57:19 archlinux systemd[1]: initrd-root-device.target: Triggering OnFailure= dependencies.
Feb 25 00:57:19 archlinux systemd[1]: dev-disk-by\x2duuid-10█████\x2███\x2████\x2████\x2█████████5b.device: Job dev-disk-by\x2duuid-10█████\x2███\x2████\x2████\x2█████████5b.device/start failed with>
Feb 25 00:57:19 archlinux systemd[1]: Stopped target Basic System.
Feb 25 00:57:19 archlinux systemd[1]: Reached target Initrd File Systems.
Feb 25 00:57:19 archlinux systemd[1]: Stopped target System Initialization.
Feb 25 00:57:19 archlinux systemd[1]: Started Emergency Shell.

On a successful boot I get:

Feb 25 01:01:25 archlinux kernel: Linux version 5.16.10-arch1-1 (linux@archlinux) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.38) #1 SMP PREEMPT Wed, 16 Feb 2022 19:35:18 +0000
Feb 25 01:01:25 archlinux kernel: Command line: root=UUID=10█████-███-████-████-█████████5b rootflags=subvol=/@arch1 rw usbcore.autosuspend=30 quiet splash
...
Feb 25 01:01:25 archlinux systemd[1]: Starting Cryptography Setup for ssd-main-pv...
Feb 25 01:01:25 archlinux kernel: device-mapper: uevent: version 1.0.3
Feb 25 01:01:25 archlinux kernel: device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
Feb 25 01:01:25 archlinux kernel: random: systemd-cryptse: uninitialized urandom read (4 bytes read)
...
Feb 25 01:01:28 archlinux kernel: audit: type=1338 audit(1645761688.191:7): module=crypt op=ctr ppid=1 pid=394 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 com>
Feb 25 01:01:28 archlinux kernel: audit: type=1300 audit(1645761688.191:7): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=c138fd09 a2=55f64e7b5ed0 a3=7ffdaacf1342 items=6 ppid=1 pid=394 auid=4294967295 uid=>
Feb 25 01:01:28 archlinux kernel: audit: type=1307 audit(1645761688.191:7): cwd="/"
Feb 25 01:01:28 archlinux kernel: audit: type=1302 audit(1645761688.191:7): item=0 name=(null) inode=47 dev=00:07 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_fro>
Feb 25 01:01:28 archlinux lvm[473]: PV /dev/dm-0 online, VG ssd-main-vg is complete.
Feb 25 01:01:28 archlinux systemd[1]: Started /usr/bin/lvm vgchange -aay --autoactivation event ssd-main-vg.
Feb 25 01:01:28 archlinux audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=lvm-activate-ssd-main-vg comm="systemd" exe="/init" hostname=? addr=? terminal=? res=success'
Feb 25 01:01:28 archlinux systemd[1]: Finished Cryptography Setup for ssd-main-pv.
Feb 25 01:01:28 archlinux audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-cryptsetup@ssd\x2dmain\x2dpv comm="systemd" exe="/init" hostname=? addr=? terminal=? res=success'
Feb 25 01:01:28 archlinux systemd[1]: Reached target Local Encrypted Volumes.
Feb 25 01:01:28 archlinux systemd[1]: Reached target System Initialization.
...
Feb 25 01:01:29 bi83 systemd[1]: systemd 250.3-4-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD>
Feb 25 01:01:29 bi83 systemd[1]: Detected architecture x86-64.
...
Feb 25 01:01:30 bi83 lvm[711]: PV /dev/dm-0 online, VG ssd-main-vg is complete.
Feb 25 01:01:30 bi83 lvm[711]: VG ssd-main-vg finished
...

In both cases, my /etc/crypttab.initramfs was:

ssd-main-pv	UUID=66█████-███-████-████-█████████21	-	tpm2-device=/dev/tpmrm0

Both were using systemd version 250.3-4-arch. However the failed boot attempt used systemd without +KMOD.