-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LUKS unlocking with TPM2 broken on 255-rc3 #30176
Comments
Please provide logs of the failure. Otherwise this is not actionable to us. |
what logs exactly? the initrd stuff from the journal? |
ideally debug logs fromt he failing systemd-cryptsetup invocation. i.e. boot with |
I've truncated the logs to just before the root switch. |
I'm hitting the same. I can bisect albeit a bit painfully if needed. I still see:
And if I try re-enroll:
|
So you are using the gpt-auto logic for the rootfs? The cryptsetup invocation is done via:
i.e. without Are you sure this ever worked? I don't see how this could ever have worked. We probably should imply |
Yes, this works just fine on 254.6, do you want to see the debug logs for this one too? |
yes |
Oh, I think I understand what's going on. It's this commit which changed behaviour here: It will disable unlocking via token modules if measurement of the root volume key is enabled, because we cannot access the volume key if we use token modules... Previously, since token support was added to the tree it didn't matter whether tpm2/fido2/pkcs11 support was actually configured in our option string, libcryptsetup would behind our backs try to unlock via a token, because we do a wildcard token unlock. With the above we revert to the old behaviour. You are relying on that behaviour though, so with the commit above your system is broken. |
If we detect a TPM, let's also unlock the disk with it, if it has an enrollment for that. Fixes: systemd#30176
If we detect a TPM, let's also unlock the disk with it, if it has an enrollment for that. See: systemd#30176
If we detect a TPM, let's also unlock the disk with it, if it has an enrollment for that. Fixes: systemd#30176
systemd version the issue has been seen with
255-rc3
Used distribution
Gentoo
Linux kernel version used
6.1.63-gentoo-dist
CPU architectures issue was seen on
x86_64
Component
No response
Expected behaviour you didn't see
Booting my Gentoo installation with systemd 255-rc3 should automatically unlock the LUKS
root
andswap
volumes using the TPM slot.Unexpected behaviour you saw
libsystemd-shared-255.so
Steps to reproduce the problem
ukify
would lead to non-bootable systems), commit 856e7acLet me know what other kind of logs you need
Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered: