[pkg-cryptsetup-devel] Bug#1031254: cryptsetup: unable to boot rootfs from luks via tpm (cryptsetup unknown option tpm2-device tpm2-pin)
jj
redstoneore8 at gmail.com
Tue Feb 14 02:04:04 GMT 2023
Package: cryptsetup
Version: 2:2.6.1-1
Severity: normal
X-Debbugs-Cc: redstoneore8 at gmail.com
Dear Maintainer,
* What led up to the situation?
On system with: bookworm, 3 partitions (EFI, /boot, luks-encrypted-rootfs), 1 tpm, I am attempting to use either tpm2 or tpm2-with-pin in systemd-cryptenroll so that on book, my luks2 encrypted rootfs is able to automatically use the hardware tpm (ie. auto-unlock with just tpm or with tpm-pin). Then, update /etc/crypttab with tpm2-device=(tpm path) followed by run "update-initramfs -u" to apply changes I made to crypttab.
* Expected outcome:
No warnings output from "update-initramfs -u). Then on boot, the system automatically utilises tpm2 to auto unlock or request tpm-pin (if set tpm-with-pin=yes in cryptenroll)
* Actual outcome:
Both during output of "update-initramfs -u" AND during boot, I see the warning line: "cryptsetup: WARNING: nvme1n1p3_crypt: ignoring unknown option 'tpm2-device'" (also applies to "tpm2-pin" option). Unfortunately, on boot, as per the warning, the tpm remains unused and I am requested the other recovery key/password I have set (totally ignoring the tpm or tpm-with-pin slot within systemd-cryptenroll)
* Why do you suspect this is a bug?
According to: https://github.com/systemd/systemd/releases/tag/v251-rc1 it says "Option tpm2-pin= can be used in /etc/crypttab." However, as stated above, this is not the case (tpm-device also does not work).
Others have experienced something similar: https://askubuntu.com/questions/1370877/unlock-root-disk-with-tpm2-on-impish-indri, https://answers.launchpad.net/ubuntu/+question/702266 with the only half-solution being a third party github patch: https://github.com/wmcelderry/systemd_with_tpm2
* Anything else important?
This ONLY AFFECTS the root filesystem (rootfs). If I have another drive with its own encrypted partition, this works NORMALLY with NO errors. This means that on this system, if I add another drive, there will be no warnings from cryptsetup when running update-initramfs -u or on boot for the second drive, however, the warnings for rootfs remain (the second drive works properly with the tpm or tpm-with-pin, but rootfs does not).
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-6.1.0-3-amd64 root=/dev/mapper/VG--T-LV--T ro rootflags=subvol=@rootfs quiet
-- /etc/crypttab
nvme1n1p3_crypt UUID=58c6ddd0-4608-4ecd-b1bb-3ddf8f120cba none tpm2-device=/dev/tpmrm0,luks,discard
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/VG--T-LV--T / btrfs defaults,subvol=@rootfs 0 0
# /boot was on /dev/nvme1n1p2 during installation
UUID=8a4f6861-4780-45c2-8d1a-3c823612d577 /boot ext2 defaults 0 2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=5468-243A /boot/efi vfat umask=0077 0 1
-- lsmod
Module Size Used by
mei_hdcp 24576 1
pmt_telemetry 16384 0
pmt_class 16384 1 pmt_telemetry
intel_rapl_msr 20480 0
x86_pkg_temp_thermal 20480 0
intel_powerclamp 20480 0
coretemp 20480 0
kvm_intel 380928 0
kvm 1130496 1 kvm_intel
irqbypass 16384 1 kvm
rapl 20480 0
intel_cstate 20480 0
intel_uncore 212992 0
pcspkr 16384 0
wmi_bmof 16384 0
bnep 28672 2
qrtr 49152 4
binfmt_misc 24576 1
nls_ascii 16384 1
nls_cp437 20480 1
vfat 24576 1
fat 90112 1 vfat
snd_sof_pci_intel_tgl 16384 0
snd_sof_intel_hda_common 188416 1 snd_sof_pci_intel_tgl
soundwire_intel 49152 1 snd_sof_intel_hda_common
soundwire_generic_allocation 16384 1 soundwire_intel
soundwire_cadence 40960 1 soundwire_intel
snd_sof_intel_hda 20480 1 snd_sof_intel_hda_common
snd_sof_pci 24576 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
snd_sof_xtensa_dsp 16384 1 snd_sof_intel_hda_common
snd_sof 274432 2 snd_sof_pci,snd_sof_intel_hda_common
snd_sof_utils 20480 1 snd_sof
snd_soc_hdac_hda 24576 1 snd_sof_intel_hda_common
asus_wmi 61440 0
snd_hda_ext_core 40960 2 snd_sof_intel_hda_common,snd_soc_hdac_hda
platform_profile 16384 1 asus_wmi
snd_soc_acpi_intel_match 73728 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
sparse_keymap 16384 1 asus_wmi
ext4 978944 1
iTCO_wdt 16384 0
btusb 65536 0
intel_pmc_bxt 16384 1 iTCO_wdt
snd_soc_acpi 16384 2 snd_soc_acpi_intel_match,snd_sof_intel_hda_common
iwlwifi 360448 0
snd_soc_core 348160 4 soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_soc_hdac_hda
btrtl 28672 1 btusb
iTCO_vendor_support 16384 1 iTCO_wdt
mbcache 16384 1 ext4
btbcm 24576 1 btusb
mei_me 53248 1
watchdog 45056 1 iTCO_wdt
snd_compress 28672 1 snd_soc_core
btintel 45056 1 btusb
btmtk 16384 1 btusb
jbd2 167936 1 ext4
soundwire_bus 102400 3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence
mei 159744 2 mei_hdcp,mei_me
bluetooth 950272 13 btrtl,btmtk,btintel,btbcm,bnep,btusb
cfg80211 1122304 1 iwlwifi
uvcvideo 131072 0
videobuf2_vmalloc 20480 1 uvcvideo
videobuf2_memops 20480 1 videobuf2_vmalloc
snd_hda_codec_realtek 167936 1
videobuf2_v4l2 36864 1 uvcvideo
videobuf2_common 73728 4 videobuf2_vmalloc,videobuf2_v4l2,uvcvideo,videobuf2_memops
snd_hda_codec_generic 98304 1 snd_hda_codec_realtek
ledtrig_audio 16384 2 snd_hda_codec_generic,asus_wmi
videodev 294912 3 videobuf2_v4l2,uvcvideo,videobuf2_common
jitterentropy_rng 16384 1
snd_hda_codec_hdmi 81920 3
drbg 45056 1
mc 77824 4 videodev,videobuf2_v4l2,uvcvideo,videobuf2_common
ansi_cprng 16384 0
ecdh_generic 16384 1 bluetooth
rfkill 36864 8 asus_wmi,bluetooth,cfg80211
ecc 40960 1 ecdh_generic
crc16 16384 2 bluetooth,ext4
snd_hda_intel 57344 5
snd_intel_dspcfg 36864 3 snd_hda_intel,snd_sof,snd_sof_intel_hda_common
snd_intel_sdw_acpi 20480 2 snd_sof_intel_hda_common,snd_intel_dspcfg
snd_hda_codec 184320 6 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek,snd_soc_hdac_hda,snd_sof_intel_hda
intel_vsec 20480 0
snd_hda_core 122880 9 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_ext_core,snd_hda_codec,snd_hda_codec_realtek,snd_sof_intel_hda_common,snd_soc_hdac_hda,snd_sof_intel_hda
snd_hwdep 16384 1 snd_hda_codec
snd_pcm 159744 11 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_compress,snd_soc_core,snd_sof_utils,snd_hda_core
snd_timer 49152 1 snd_pcm
processor_thermal_device_pci 16384 0
processor_thermal_device 20480 1 processor_thermal_device_pci
processor_thermal_rfim 16384 1 processor_thermal_device
snd 126976 20 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_sof,snd_timer,snd_compress,snd_soc_core,snd_pcm
processor_thermal_mbox 16384 2 processor_thermal_rfim,processor_thermal_device
processor_thermal_rapl 20480 1 processor_thermal_device
intel_rapl_common 32768 2 intel_rapl_msr,processor_thermal_rapl
soundcore 16384 1 snd
ac 20480 0
int3400_thermal 20480 0
acpi_thermal_rel 16384 1 int3400_thermal
intel_pmc_core 53248 0
acpi_tad 20480 0
acpi_pad 184320 0
acpi_als 20480 2
industrialio_triggered_buffer 16384 1 acpi_als
kfifo_buf 16384 1 industrialio_triggered_buffer
cdc_mbim 20480 0
sg 40960 0
int3403_thermal 20480 0
industrialio 110592 3 industrialio_triggered_buffer,acpi_als,kfifo_buf
hid_multitouch 32768 0
joydev 28672 0
int340x_thermal_zone 20480 2 int3403_thermal,processor_thermal_device
cdc_wdm 32768 1 cdc_mbim
serio_raw 20480 0
evdev 28672 28
msr 16384 0
parport_pc 40960 0
ppdev 24576 0
lp 20480 0
parport 73728 3 parport_pc,lp,ppdev
fuse 176128 3
efi_pstore 16384 0
configfs 57344 1
efivarfs 24576 1
ip_tables 36864 0
x_tables 61440 1 ip_tables
autofs4 53248 2
btrfs 1773568 1
blake2b_generic 20480 0
xor 24576 1 btrfs
raid6_pq 122880 1 btrfs
zstd_compress 294912 1 btrfs
libcrc32c 16384 1 btrfs
crc32c_generic 16384 0
sd_mod 65536 0
dm_crypt 61440 1
dm_mod 184320 6 dm_crypt
uas 32768 0
usb_storage 81920 1 uas
scsi_mod 282624 4 sd_mod,usb_storage,uas,sg
scsi_common 16384 4 scsi_mod,usb_storage,uas,sg
cdc_ncm 45056 1 cdc_mbim
cdc_ether 24576 1 cdc_ncm
usbnet 57344 3 cdc_mbim,cdc_ncm,cdc_ether
mii 16384 1 usbnet
usbhid 65536 0
hid_generic 16384 0
i915 3330048 4
nouveau 2449408 1
nvme 53248 3
drm_buddy 20480 1 i915
mxm_wmi 16384 1 nouveau
i2c_algo_bit 16384 2 i915,nouveau
crc32_pclmul 16384 0
xhci_pci 24576 0
nvme_core 159744 4 nvme
crc32c_intel 24576 3
drm_display_helper 212992 2 i915,nouveau
xhci_hcd 315392 1 xhci_pci
t10_pi 16384 2 sd_mod,nvme_core
cec 61440 2 drm_display_helper,i915
ghash_clmulni_intel 16384 0
rc_core 69632 1 cec
crc64_rocksoft_generic 16384 1
drm_ttm_helper 16384 1 nouveau
crc64_rocksoft 20480 1 t10_pi
ttm 94208 3 drm_ttm_helper,i915,nouveau
crc_t10dif 20480 1 t10_pi
sha512_ssse3 49152 1
i2c_hid_acpi 16384 0
crct10dif_generic 16384 0
usbcore 344064 12 xhci_hcd,usbnet,usbhid,cdc_mbim,cdc_ncm,usb_storage,cdc_wdm,uvcvideo,btusb,xhci_pci,cdc_ether,uas
drm_kms_helper 229376 3 drm_display_helper,i915,nouveau
i2c_hid 32768 1 i2c_hid_acpi
intel_lpss_pci 28672 0
crct10dif_pclmul 16384 1
i2c_i801 36864 0
sha512_generic 16384 1 sha512_ssse3
intel_lpss 16384 1 intel_lpss_pci
crc64 20480 2 crc64_rocksoft,crc64_rocksoft_generic
aesni_intel 393216 2
drm 663552 9 drm_kms_helper,drm_display_helper,drm_buddy,drm_ttm_helper,i915,ttm,nouveau
psmouse 184320 0
crypto_simd 16384 1 aesni_intel
cryptd 28672 3 crypto_simd,ghash_clmulni_intel
thunderbolt 376832 0
i2c_smbus 20480 1 i2c_i801
hid 155648 4 i2c_hid,usbhid,hid_multitouch,hid_generic
idma64 20480 0
usb_common 16384 3 xhci_hcd,usbcore,uvcvideo
crct10dif_common 16384 3 crct10dif_generic,crc_t10dif,crct10dif_pclmul
fan 20480 0
video 65536 3 asus_wmi,i915,nouveau
battery 28672 1 asus_wmi
wmi 36864 5 video,asus_wmi,wmi_bmof,mxm_wmi,nouveau
button 24576 1 nouveau
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-3-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_DIE, TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:2.6.1-1
ii debconf [debconf-2.0] 1.5.82
ii dmsetup 2:1.02.185-2
ii libc6 2.36-8
cryptsetup recommends no packages.
Versions of packages cryptsetup suggests:
ii cryptsetup-initramfs 2:2.6.1-1
ii dosfstools 4.2-1
pn keyutils <none>
ii liblocale-gettext-perl 1.07-5
-- debconf information:
cryptsetup/prerm_active_mappings: true
More information about the pkg-cryptsetup-devel
mailing list