Skip to content

Comments

dracut: Install libcryptsetup-token-systemd-tpm2 plugin#93

Merged
pothos merged 1 commit intoflatcar-masterfrom
kai/systemd-cryptsetup
Mar 28, 2024
Merged

dracut: Install libcryptsetup-token-systemd-tpm2 plugin#93
pothos merged 1 commit intoflatcar-masterfrom
kai/systemd-cryptsetup

Conversation

@pothos
Copy link
Member

@pothos pothos commented Mar 28, 2024

For unlocking TPM2-backed LUKS volumes that were set up with systemd-cryptenroll we need the plugin library in the initrd.

How to use/Testing done

This now works with:

variant: flatcar
version: 1.1.0
storage:
  luks:
  - name: rootencrypted
    wipe_volume: true
    device: "/dev/disk/by-partlabel/ROOT"
  filesystems:
    - device: /dev/mapper/rootencrypted
      format: ext4
      label: ROOT
systemd:
  units:
    - name: cryptenroll-helper.service
      enabled: true
      contents: |
        [Unit]
        ConditionFirstBoot=true
        OnFailure=emergency.target
        OnFailureJobMode=isolate
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=systemd-cryptenroll --tpm2-device=auto --unlock-key-file=/etc/luks/rootencrypted --wipe-slot=0 /dev/disk/by-partlabel/ROOT
        ExecStart=rm /etc/luks/rootencrypted
        [Install]
        WantedBy=multi-user.target

By default PCR 7 is used, this can be disabled with --tpm2-pcrs="". The effect of PCR 7 binding is that unlocking would fail when switching from BIOS to UEFI or doing similar firmware changes.

For unlocking TPM2-backed LUKS volumes that were set up with
systemd-cryptenroll we need the plugin library in the initrd.
Copy link
Member

@krnowak krnowak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All this encryption stuff will need documentation.

@pothos pothos merged commit 6c2fba4 into flatcar-master Mar 28, 2024
@pothos pothos deleted the kai/systemd-cryptsetup branch March 28, 2024 07:53
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
pothos added a commit to flatcar/scripts that referenced this pull request Mar 28, 2024
This pulls in flatcar/bootengine#93
to support systemd-cryptenroll for the rootfs with TPMs.
@ader1990
Copy link
Contributor

All this encryption stuff will need documentation.

made a script that can be useful to test the feature on a clean Ubuntu 22.04 env: flatcar/Flatcar#593 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants