[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option

[Grumpus]

"What gives you that impression? What PCR do you see being extended by GRUB
with a hash of the initramfs when loaded?"

I found if I update initramfs on Ubuntu 22.04 then PCR9 changes.

I only tested this as below lead me to believe this was an intended
behaviour:

https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers
https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html
https://github.com/rhboot/shim/blob/main/README.tpm

Hence when I read your original comment it left me wondering whether I'm
misunderstanding something.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1980018

Title:
  Cryptsetup-initramfs cant deal with tpm2-device option

Status in cryptsetup package in Ubuntu:
  Triaged

Bug description:
  In order to boot an encrypted system and autounlock with tpm2, the
  tpm2-device= option must be specified in  /etc/crypttab. This works
  for non-root filesystems for some reason, but when applied to root
  filesystems it doesnt. Tested working on both arch and fedora, so the
  method is good, something is off in the background.


  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

  
  Manually adding it to  /lib/cryptsetup/functions produces this

  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  /usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found

  
  That file belongs to cryptsetup-initramfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions