TPM 2.0 support - when will it happen ?

[jdall]

TPM 2.0 has been here since 2014 and it's getting harder every day to find hardware that includes TPM 1.2

When will support for TPM 2.0 be included in Flatcar ?

Thanks

[jepio]

Thanks for opening the issue @jdall. Could you share what part of the TPM support you rely on?

[pothos]

Systemd has tooling for TPM 2.0 things, but we don't ship any other userspace tooling on the OS (you would need to use a container for that at the moment)

[jdall]

@jepio I do not have much knowledge about the nitty gritty details of the TPM 2.0 standard, but I would really like support for whatever parts are necessary for secureboot and full disk encryption (using LUKS and Clevis)

[jepio]

Thanks for providing the specifics, these are aligned with what we would like to accomplish.

[krishjainx]

@jepio Hey there! Is it possible for me to be assigned to this issue? I'd be happy to help out.

[krishjainx]

@pothos Once I iron things out on my end, we could ship the userspace tooling on the OS as a sysext? Could this work?

[krishjainx]

Some notes that will help setup a testing environment for this issue

Emulate TPM2.0:

sudo swtpm socket --tpmstate dir=/tmp/emulated_tpm --ctrl type=unixio,path=/tmp/emulated_tpm/swtpm-sock --log level=20 --tpm2

Add

       -chardev socket,id=chrtpm,path=/tmp/emulated_tpm/swtpm-sock \
        -tpmdev emulator,id=tpm0,chardev=chrtpm \
        -device tpm-tis,tpmdev=tpm0 -smp 2 -device intel-hda \

to QEMU command line in scripts/flatcar_production_qemu.sh

[pothos]

Tested the following: One can create a LUKS partition (through Ignition or after boot), and optionally enroll a slot with systemd-cryptenroll - I just used a simple passphrase, then write the LUKS UUID and crypttab options (in my case none because I didn't use a TPM) to the grub.cfg file.

# Flatcar GRUB settings

set oem_id="qemu"
set linux_append="flatcar.autologin luks.uuid=7ca4e0c5-35af-4d45-a4db-971b6ce71cdf"

This also works for the rootfs.
See https://www.freedesktop.org/software/systemd/man/latest/systemd-cryptsetup-generator.html for the kernel cmdline options (especially luks.options), and https://www.freedesktop.org/software/systemd/man/latest/crypttab.html for the format of the luks.options entry, e.g., pkcs11-uri or tpm2-…. Note that the TPM has autodiscovery, so I guess this should work without special options? Need to try and we need to document this.

[pothos]

The use of luks.uuid= is not needed when the GPT partition type is one of the documented in https://www.freedesktop.org/software/systemd/man/latest/systemd-gpt-auto-generator.html - at least for a non root fs - it seems that the gpt auto generator only runs as "late" generator - or maybe this is the problem:

This generator will only look for the root partition on the same physical disk where the EFI System Partition (ESP) is located. Note that support from the boot loader is required: the EFI variable LoaderDevicePartUUID
       of the 4a67b082-0a4c-41cf-b6c7-440b29bb8c4f vendor UUID is used to determine from which partition, and hence the disk, from which the system was booted. If the boot loader does not set this variable, this generator
       will not be able to detect the root partition. See the Boot Loader Interface[3] for detail

Edit: Looks like it might work once we have this "bli" module: https://wiki.archlinux.org/title/GRUB#LoaderDevicePartUUID
But root= must also not be specified on the cmdline.
… so I guess we could write a custom generator that runs the systemd gpt auto generator with the right environment in a mount namespace
Edit: Thinking about it instead of adding a hack to run the gpt auto generator we could have a custom generator that that looks up the luks UDID based on the by-partlabel/ROOT entry and then runs the systemd-cryptsetup-generator with a kernel cmdline bind-mounted in a mount namespace

[pothos]

The next Alpha will be able to set up a TPM-backed rootfs with clevis or systemd-cryptenroll, and no additional kernel cmdline flags to configure nor having to hardcode a luks uuid.

Latest PR that needs to land is flatcar/bootengine#93 for systemd-cryptenroll

[pothos]

Docs PR: flatcar/flatcar-website#317

[pothos]

Both the systemd tooling as well as the tpm2_* CLI tools are in Alpha and with the above docs PR we documented how one can use TPMs for now, even if we want to improve some parts.