Bug#1080390: shim-signed: Unable to unlock disk via TPM2 after update to 1.44+15.8 in bookworm

[Luca Boccassi]

Control: tags -1 wontfix
Control: close -1

On Tue, 3 Sep 2024 10:23:41 +0000 "Settenvini, Matteo"
<matteo.settenvini at bender.de> wrote:
> Package: shim-signed
> Version: 1.44~1+deb12u1+15.8-1~deb12u1
> Severity: important
> 
> Dear Maintainer,
> 
> after updating the shim-signed package to
1.44~1+deb12u1+15.8~deb12u1,
> unlocking the LUKS drive automatically via the tpm as enrolled
through
> systemd-cryptenroll fails because the value of PCR 7 changes.
> 
> This is problematic in our setup, because only the IT administrator
> has the LUKS passphrase which can be used as a fallback unlock
method.
> Therefore, manual intervention for unlocking and re-enrolling the TPM
> is needed.
> 
> At least a NEWS entry should be displayed before the update, and
> possibly a solution to automatically re-enroll after a successful
unlock
> via passphrase added (via systemd unit file? maybe a systemd wishlist
> item? `keyctl update` to reseal?).
> 
> In any case, a blind update causes a serious regression for us. We
> understand this is intended behavior, but we should at least have
> a way to know before applying the update.
> 
> Thanks!
> Matteo Settenvini

Hi,

The supported disk encryption setup in Debian is created by debian-
installer and managed by cryptsetup-initramfs et al.
It looks like you have a custom setup, which means whatever
tool/script/etc you used, also needs to be able to deal with this and
re-enroll whenever any PCR you bind your key to changes.

Debian is not equipped to do this automatically nor to use any other
schemes, given the default setup uses GRUB and locally-generated
initramfs-tools based initrds, which means there is no possibility of
using predictable signed PCR policies, nor pcrlock for nvram-based
policies. You might be able to experiment with these tools on your own,
but it is not supported in any way, sorry.