[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option
Grumpus
1980018 at bugs.launchpad.net
Sun Oct 29 23:47:41 UTC 2023
Steve Langasek (@vorlon) wrote on 2022-09-08:
"I don't know of anything specifically published about this. But the root
issue is that if you load an initramfs, the initramfs is not measured, so
can be modified to steal control of the encrypted disk"
Is there a source to support this statement? As far as I can tell
Ubuntu does measure the initramfs into the PCRs, which are in turn
utilised to ensure the boot is unmodified.
If it is in fact measured (as also appears the other various boot
components as far as I understand) then can it really be designated a
"security theater"?
And if it’s not a "security theater" then this bug should be prioritised
surely? (or at least not deprioritised).
There needs to be something authoritative to support the statements
being made around “security theatre” and requirements for Unified Kernel
Images. As far as I understand the individual components of the boot
can (and are already in Ubuntu?) measured.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1980018
Title:
Cryptsetup-initramfs cant deal with tpm2-device option
Status in cryptsetup package in Ubuntu:
Triaged
Bug description:
In order to boot an encrypted system and autounlock with tpm2, the
tpm2-device= option must be specified in /etc/crypttab. This works
for non-root filesystems for some reason, but when applied to root
filesystems it doesnt. Tested working on both arch and fedora, so the
method is good, something is off in the background.
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'
Manually adding it to /lib/cryptsetup/functions produces this
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
/usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found
That file belongs to cryptsetup-initramfs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions
More information about the foundations-bugs
mailing list