[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option

W McElderry 1980018 at bugs.launchpad.net
Thu Sep 8 23:33:12 UTC 2022 

@vorlon  I understand the position you are taking.  What you have said
is true: without measuring the initrd, it does degrade security compared
to passphrase-based encryption.


While I'm sure there are those who are disappointed, perhaps disagree even for their use, I'd suggest we avoid debating the relative merit or belief in how useful it may still be to have the functionality while the initrd vulnerability persists, and spend the energy on removing the vulnerability (as it doesn't seem like it's too much work anyway)!

To that end I'd propose we create a new ticket that discusses the issue
of creating a Unified Kernel Image (unless someone knows of an
appropriate one already?), and leave this thread to focus on the scripts
that are used to unlock the LUKS container using the TPM.


Given that I have created quite small patches for files that implement a solution to unlocking the LUKS container using the TPM in the initramfs and that is what this thread is about, perhaps someone can either comment on the patches, or tell me where & how to submit the patches for review?


Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1980018

Title:
  Cryptsetup-initramfs cant deal with tpm2-device option

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  In order to boot an encrypted system and autounlock with tpm2, the
  tpm2-device= option must be specified in  /etc/crypttab. This works
  for non-root filesystems for some reason, but when applied to root
  filesystems it doesnt. Tested working on both arch and fedora, so the
  method is good, something is off in the background.


  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

  
  Manually adding it to  /lib/cryptsetup/functions produces this

  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  /usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found

  
  That file belongs to cryptsetup-initramfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions

More information about the foundations-bugs mailing list