[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option
W McElderry
1980018 at bugs.launchpad.net
Thu Sep 8 19:57:47 UTC 2022
@vorlon
Thanks for that!
I've heard of the issue you raise and a couple of solutions:
- unified kernel image that is booted directly from the BIOS.
- sign the initrd and kernel with keys and instruct grub to respects those keys
I'm more interested in the unified kernel image approach as I like the
minimal approach and am keen on using the secure boot functionality with
my own keys.
Admittedly it's more of a pain when you update the kernel, but I've
heard there are hooks that can be used to recreate the image after the
initrd or kernel is updated. I've prototyped all of the above on an Arch
system, but I haven't written all the hook scripts.
In conclusion: I'd encourage not to de-prioritise this as the other
issues are not insurmountable, and this needs to be resolved to get the
system running with encrypted root (at rest).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1980018
Title:
Cryptsetup-initramfs cant deal with tpm2-device option
Status in cryptsetup package in Ubuntu:
Confirmed
Bug description:
In order to boot an encrypted system and autounlock with tpm2, the
tpm2-device= option must be specified in /etc/crypttab. This works
for non-root filesystems for some reason, but when applied to root
filesystems it doesnt. Tested working on both arch and fedora, so the
method is good, something is off in the background.
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'
Manually adding it to /lib/cryptsetup/functions produces this
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
/usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found
That file belongs to cryptsetup-initramfs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions
More information about the foundations-bugs
mailing list