In Fedora 35, I am able to use the tpm2 device to automatically unlock a
LUKS volume on boot. Dracut 055 has a bug in the tpm2-tss module,
requiring either applying
https://github.com/dracutdevs/dracut/commit/8b17105bed69ed90582a13d97d95ee19e6581365
and then including the tpm2-tss module in dracut.conf, or including the
library files directly.
device=/dev/nvme0n1p3
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 $device
sed -ie '/^luks-/s/$/,tpm2-device=auto/' /etc/crypttab
# Either this:
echo 'install_optional_items+=" /usr/lib64/libtss2*
/usr/lib64/libfido2.so.* "' > /etc/dracut.conf.d/tss2.conf
# Or apply the commit mentioned above and:
echo 'add_dracutmodules+=" tpm2-tss "' > /etc/dracut.conf.d/tss2.conf
dracut -f
However, this doesn't work in F36 beta, and there isn't much information
logged to indicate why that is. The F36 beta initramfs generated by
dracut appears to have all of the necessary components, but a passphrase
is required to unlock the root LUKS volume.
On a F35 system, the journal will contain a couple of log entries like:
Mar 12 12:11:32 vagabond systemd-cryptsetup[542]: Set cipher aes, mode
xts-plain64, key size 512 bits for device
/dev/disk/by-uuid/888c26a9-936b-4377-97f9-612300cc2a8e.
Mar 12 12:11:32 vagabond systemd-cryptsetup[542]: Automatically
discovered security TPM2 token unlocks volume.
However, a F36 system will contain only the first of those two log
entries, and no error.
Does anyone have suggestions for debugging this issue?
_______________________________________________
test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
