On 3/29/22 11:41, Gordon Messmer wrote:
In Fedora 35, I am able to use the tpm2 device to automatically unlock
a LUKS volume on boot. Dracut 055 has a bug in the tpm2-tss module,
requiring either applying
https://github.com/dracutdevs/dracut/commit/8b17105bed69ed90582a13d97d95ee19e6581365
and then including the tpm2-tss module in dracut.conf, or including
the library files directly.
First problem: systemd added cryptsetup modules, so in addition to that
commit, you'd need both of these:
https://github.com/dracutdevs/dracut/commit/c656b612b101e4834e01f9841162e2629a7272f7
https://github.com/dracutdevs/dracut/commit/4753738b62d958955f50fb077ea21c56a8d23dc3
(I see dracut 056 in rawhide... I'm *real* sad that it didn't make it
into F36, for this reason)
Second problem: when I was testing earlier, the cryptsetup modules
appear to have been incorrectly packaged in the "systemd-devel"
package. That problem was fixed in 250.3-7.
device=/dev/nvme0n1p3
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 $device
sed -ie '/^luks-/s/$/,tpm2-device=auto/' /etc/crypttab
echo 'install_optional_items+=" /usr/lib64/libtss2*
/usr/lib64/libfido2.so.*
/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so "' >
/etc/dracut.conf.d/tss2.conf
dracut -f
Since dracut 055 requires several patches, the easiest way to restore
working tpm2 support seems to be just bundling the libraries manually,
as above.
_______________________________________________
test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
