-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cryptsetup: Fallback to password if TPM unlock fails #19202
Comments
Hmm, this should actually already be the case: if any of the fancier mechanisms fail we'll fallback to asking for a pw. If this doesn't work, then this is a bug. Any chance you can reproduce this and provide the logs when this fails? Or i this just a duplicate of #19177? i.e. the fail-over doesn't appear to work in case TPM2 support is compiled out (or the TPM2 libs missing at runtime). |
For me, when unlocking with FIDO2 fails, I get dropped into a rescue shell
after the timeout for unlocking expires. Will try to get logs this evening.
|
@Tblue the original reporter talked about TPM2 though, not FIDO2. But I take it then that the fallback path for FIDO2 is hosed too then, for you? maybe open a separate issue about that, and paste your logs there. Otherwise this will get too confusing. Let's focus on the TPM2 codepaths only in this issue. |
It looks indeed like the fallback not working was due to the missing tpm_crb module in my case. I've tried to reproduce it, and I can't anymore. So it's a dupe of #19177. If systemd is compiled with +TMP2 but the library isn't available at runtime the fallback doesn't trigger. For completeness sake, my TPM is enrolled with registers 0, 2 and 7. I rebooted into my BIOS, disabled SecureBoot, rebooted and I now did get prompted for the password. |
Hmm, so #19177 is different: it's about tpm2 support not being compiled into the systemd version. But in your case the driver was missing, but system had support for tpm2, right? I guess we need to cover both cases properly, hence reopened this. Any chance you can get me the precise logs you saw? i.e. i am kinda curious about the precise error code you got. |
Sorry for the delayed response, life took over for a bit. I must confess I'm no longer to reproduce this. I don't know if this was a pebkac issue in failing to rebuild my initramfs, or if the additional changes to the cryptsetup and systemd packages in Arch had anything to do with it. I would love to figure that out b/c I feel slightly insane now, but I lack the time to do so. Short of anyone else still experiencing this I think it's safe to close this. |
OK, let's close this then. |
Apologies for reviving this. When having a FIDO2 token set up, unlocking still fails to fallback to a password input prompt when the token is missing. Is there any bug report I can add details to? Cheers. |
I don't think there's an issue for this. I have the same thing, but given the TPM fallback appears to work I've avoided raising an issue for it b/c I'm sort of assuming there's a problem with my initramfs right now. Since there's at least 2 of us, it's probably worth raising an issue about it. |
well, ive just tried that out myself on an manjaro system with 248.2 and had the same behaviour of it not falling back to a password promt if no fido key is present. |
This issue is about TPM, not FIDO2 security keys. I'd suggest opening a separate issue for that and using the instructions in https://freedesktop.org/wiki/Software/systemd/Debugging/#diagnosingbootproblems (the "If you can get a shell section) attach a log to the report. |
See #19872 for fido2 instead. |
I recently had a very similar if not identical problem. The boot process didn't ask for the LUKS password but tried to fallback to a recovery shell however they seem to be disabled on Arch Linux. When I managed to boot, I looked into the old logs and found:
On a successful boot I get:
In both cases, my
Both were using systemd version 250.3-4-arch. However the failed boot attempt used systemd without +KMOD. |
Is your feature request related to a problem? Please describe.
I used the new 248 features to set up my disk so that it can be unlocked by my TPM (thank you for this by the way, it's brilliant).
However, there are cases where the disk can't be unlocked by the TPM (a BIOS change happened) or where it can't unlock at all because the tpm module wasn't included in the initrd (this is how I found out).
Describe the solution you'd like
When it can't unlock using the TPM, fall back to prompting for the password.
Describe alternatives you've considered
Right now I generate a second EFI image without
rd.luks.options=tpm2-device=auto
that I can boot in such scenarios. Looking through https://www.freedesktop.org/software/systemd/man/crypttab.html#Key%20Acquisition it doesn't seem I can configure it to also prompt?The systemd version you checked that didn't have the feature you are asking for
248
The text was updated successfully, but these errors were encountered: