[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option
W McElderry
1980018 at bugs.launchpad.net
Wed Sep 14 16:02:22 UTC 2022
Hi All,
I've made a very rough and ready script that creates a Unified Kernel
Image (thanks again to the Arch Wiki authors!) that mitigates (to some
degree) the issue raised in the last post (and earlier by @vorlon).
https://github.com/wmcelderry/unified_kernel_image
I've tested it on my laptop and it works for me to capture the current
kernel, initrd, cmdline etc. into one file that is then measured. I've
done very brief testing that a new key is added and only automatically
unlocked when booting that UKI. Seems to work, but I'll not be
surprised if there are some important features that need to be added
still.
It would be great if someone is willing to confirm it works for them,
then I'll look at how to get these two components put in to Ubuntu (I
don't expect that'll be quick/easy!)
I'd not be surprised to find that there are more security issues that
need to be addressed, but short of going full on 'secure boot' (which I
may still do in time) I doubt anything will be perfect. In short, it's
another small step in the right direction.
Thanks!
Will.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1980018
Title:
Cryptsetup-initramfs cant deal with tpm2-device option
Status in cryptsetup package in Ubuntu:
Confirmed
Bug description:
In order to boot an encrypted system and autounlock with tpm2, the
tpm2-device= option must be specified in /etc/crypttab. This works
for non-root filesystems for some reason, but when applied to root
filesystems it doesnt. Tested working on both arch and fedora, so the
method is good, something is off in the background.
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'
Manually adding it to /lib/cryptsetup/functions produces this
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
/usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found
That file belongs to cryptsetup-initramfs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions
More information about the foundations-bugs
mailing list