Skip to content

Comments

dracut: Install libcryptsetup-token-systemd-tpm2 plugin#93

Merged
pothos merged 1 commit intoflatcar-masterfrom
kai/systemd-cryptsetup
Mar 28, 2024
Merged

dracut: Install libcryptsetup-token-systemd-tpm2 plugin#93
pothos merged 1 commit intoflatcar-masterfrom
kai/systemd-cryptsetup

Conversation

@pothos
Copy link
Member

@pothos pothos commented Mar 28, 2024
edited
Loading

For unlocking TPM2-backed LUKS volumes that were set up with systemd-cryptenroll we need the plugin library in the initrd.

How to use/Testing done

This now works with:

variant: flatcar
version: 1.1.0
storage:
  luks:
  - name: rootencrypted
    wipe_volume: true
    device: "/dev/disk/by-partlabel/ROOT"
  filesystems:
    - device: /dev/mapper/rootencrypted
      format: ext4
      label: ROOT
systemd:
  units:
    - name: cryptenroll-helper.service
      enabled: true
      contents: |
        [Unit]
        ConditionFirstBoot=true
        OnFailure=emergency.target
        OnFailureJobMode=isolate
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=systemd-cryptenroll --tpm2-device=auto --unlock-key-file=/etc/luks/rootencrypted --wipe-slot=0 /dev/disk/by-partlabel/ROOT
        ExecStart=rm /etc/luks/rootencrypted
        [Install]
        WantedBy=multi-user.target

By default PCR 7 is used, this can be disabled with --tpm2-pcrs="". The effect of PCR 7 binding is that unlocking would fail when switching from BIOS to UEFI or doing similar firmware changes.

@pothos
dracut: Install libcryptsetup-token-systemd-tpm2 plugin
9e50048 
For unlocking TPM2-backed LUKS volumes that were set up with
systemd-cryptenroll we need the plugin library in the initrd.
@pothos pothos requested a review from a team March 28, 2024 07:26
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
997980b 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
This was referenced Mar 28, 2024
Merged
Closed
Open
krnowak
krnowak approved these changes Mar 28, 2024
View reviewed changes
Copy link
Member

@krnowak krnowak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All this encryption stuff will need documentation.

@pothos pothos merged commit 6c2fba4 into flatcar-master Mar 28, 2024
@pothos pothos deleted the kai/systemd-cryptsetup branch March 28, 2024 07:53
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
b88fa17 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
4408682 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
@ader1990 ader1990 mentioned this pull request Mar 28, 2024
Open
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
@pothos
sys-kernel/bootengine: Install libcryptsetup-token-systemd-tpm2 plugin
5f020f9 
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
@ader1990
Copy link
Contributor

ader1990 commented Mar 28, 2024

All this encryption stuff will need documentation.

made a script that can be useful to test the feature on a clean Ubuntu 22.04 env: flatcar/Flatcar#593 (comment)

@github-actions github-actions bot mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krnowak krnowak krnowak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pothos @ader1990 @krnowak