Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dracut: Install libcryptsetup-token-systemd-tpm2 plugin #93

Merged
merged 1 commit into from
Mar 28, 2024
Merged

dracut: Install libcryptsetup-token-systemd-tpm2 plugin #93

merged 1 commit into from
Mar 28, 2024

Conversation

pothos
Copy link
Member

@pothos pothos commented Mar 28, 2024
edited

For unlocking TPM2-backed LUKS volumes that were set up with systemd-cryptenroll we need the plugin library in the initrd.

How to use/Testing done

This now works with:

variant: flatcar
version: 1.1.0
storage:
  luks:
  - name: rootencrypted
    wipe_volume: true
    device: "/dev/disk/by-partlabel/ROOT"
  filesystems:
    - device: /dev/mapper/rootencrypted
      format: ext4
      label: ROOT
systemd:
  units:
    - name: cryptenroll-helper.service
      enabled: true
      contents: |
        [Unit]
        ConditionFirstBoot=true
        OnFailure=emergency.target
        OnFailureJobMode=isolate
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=systemd-cryptenroll --tpm2-device=auto --unlock-key-file=/etc/luks/rootencrypted --wipe-slot=0 /dev/disk/by-partlabel/ROOT
        ExecStart=rm /etc/luks/rootencrypted
        [Install]
        WantedBy=multi-user.target

By default PCR 7 is used, this can be disabled with --tpm2-pcrs="". The effect of PCR 7 binding is that unlocking would fail when switching from BIOS to UEFI or doing similar firmware changes.

@pothos
dracut: Install libcryptsetup-token-systemd-tpm2 plugin
9e50048 
For unlocking TPM2-backed LUKS volumes that were set up with
systemd-cryptenroll we need the plugin library in the initrd.
@pothos pothos requested a review from a team March 28, 2024 07:26
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
997980b 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
This was referenced Mar 28, 2024
Merged
Closed
Open
krnowak
krnowak approved these changes Mar 28, 2024
View reviewed changes
Copy link
Member

@krnowak krnowak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All this encryption stuff will need documentation.

@pothos pothos merged commit 6c2fba4 into flatcar-master Mar 28, 2024
@pothos pothos deleted the kai/systemd-cryptsetup branch March 28, 2024 07:53
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
b88fa17 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
4408682 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
@ader1990 ader1990 mentioned this pull request Mar 28, 2024
Open
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
5f020f9 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
@ader1990
Copy link
Contributor

All this encryption stuff will need documentation.

made a script that can be useful to test the feature on a clean Ubuntu 22.04 env: flatcar/Flatcar#593 (comment)

@github-actions github-actions bot mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krnowak krnowak krnowak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@pothos @ader1990 @krnowak