systemd-cryptenroll does not support TPM2 devices

Bug #1969375 reported by Dean Huffman
110
This bug affects 19 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Fix Released
Medium
Nick Rosbrook
Jammy
Fix Released
Medium
Lukas Märdian
Kinetic
Fix Released
Medium
Nick Rosbrook

Bug Description

[Impact]

 * TPM2/FIDO cannot be used to unlock luks encrpyted block devices
 * due to missing build-time support in systemd
 * Error message: "TPM2 not supported on this build."

[Test Plan]

# 1: check no new binary deps have been introduced to the systemd package, other than "libssl3", which is already installed by default.
# Compare to this version of systemd 249.11-0ubuntu3.1:
$ apt-cache depends systemd
systemd
  PreDepends: libblkid1
  PreDepends: libc6
  PreDepends: libcap2
  PreDepends: libgcrypt20
  PreDepends: liblz4-1
  PreDepends: liblzma5
  PreDepends: libselinux1
  PreDepends: libzstd1
  Depends: libacl1
  Depends: libapparmor1
  Depends: libaudit1
  Depends: libcrypt1
  Depends: libcryptsetup12
  Depends: libgnutls30
  Depends: libgpg-error0
  Depends: libip4tc2
  Depends: libkmod2
  Depends: liblz4-1
  Depends: libmount1
  Depends: libpam0g
  Depends: libseccomp2
  Depends: libsystemd0
  Depends: util-linux
  Depends: mount
  Depends: adduser
  Conflicts: <consolekit>
  Conflicts: <libpam-ck-connector>
  Conflicts: <systemd-shim>
  Breaks: resolvconf
  Breaks: udev
 |Recommends: <default-dbus-system-bus>
    dbus
  Recommends: <dbus-system-bus>
    dbus-broker
    dbus
  Recommends: networkd-dispatcher
 |Recommends: systemd-timesyncd
  Recommends: <time-daemon>
    chrony
    ntp
    ntpsec
    openntpd
    systemd-timesyncd
  Suggests: systemd-container
  Suggests: policykit-1

# 2: check that systemd-cryptenroll doesn't have any undefined symbols that prevent it from running:
$ systemd-cryptenroll --help # this should not crash
systemd-cryptenroll [OPTIONS...] BLOCK-DEVICE

Enroll a security token or authentication credential to a LUKS volume.

  -h --help Show this help
     --version Show package version
     --password Enroll a user-supplied password
     --recovery-key Enroll a recovery key
     --pkcs11-token-uri=URI
                       Specify PKCS#11 security token URI
     --fido2-device=PATH
                       Enroll a FIDO2-HMAC security token
     --fido2-with-client-pin=BOOL
                       Whether to require entering a PIN to unlock the volume
     --fido2-with-user-presence=BOOL
                       Whether to require user presence to unlock the volume
     --fido2-with-user-verification=BOOL
                       Whether to require user verification to unlock the volume
     --tpm2-device=PATH
                       Enroll a TPM2 device
     --tpm2-pcrs=PCR1+PCR2+PCR3+…
                       Specify TPM2 PCRs to seal against
     --wipe-slot=SLOT1,SLOT2,
                       Wipe specified slots

See the systemd-cryptenroll(1) man page for details.

# initial setup
$ dd if=/dev/zero of=encrypted.img bs=1 count=0 seek=100M
$ echo -n "s0s3cur3" | cryptsetup luksFormat encrypted.img -
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: s0s3cur3
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo mkfs.ext4 /dev/mapper/volume
$ sudo mount /dev/mapper/volume /mnt
$ sudo touch /mnt/TPM_TEST
$ ls -la /mnt
drwxr-xr-x 3 root root 4096 Jun 7 15:06 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
drwx------ 2 root root 16384 Jun 7 15:06 lost+found
-rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST
$ sudo umount /dev/mapper/volume
$ sudo cryptsetup luksClose volume
$ ls -la /mnt # empty

# 3: check non-TPM use cases (--password & --recovery-key) of systemd-cryptenroll have not regressed.
# enroll additional password
$ systemd-cryptenroll --password encrypted.img
🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
🔐 Please enter new passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cr3t
🔐 Please enter new passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img (repeat): s0s3cr3t
New password enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: s0s3cr3t
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo cryptsetup luksClose volume
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.

# enroll additional recovery-key
$ systemd-cryptenroll --recovery-key encrypted.img
🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
A secret recovery key has been generated for this volume:

    🔐 ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt-nerdujlr

Please save this secret recovery key at a secure location. It may be used to
regain access to the volume if the other configured access credentials have
been lost or forgotten. The recovery key may be entered in place of a password
whenever authentication is requested.
New recovery key enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt-nerdujlr
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo cryptsetup luksClose volume
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.

# 4: check FIDO2 use case:
$ sudo apt install libfido2-1 # runtime dependency for FIDO2 usage
$ systemd-cryptenroll --fido2-device=list
PATH MANUFACTURER PRODUCT
/dev/hidraw5 Yubico YubiKey OTP+FIDO+CCID
$ systemd-cryptenroll --fido2-device=auto encrypted.img
🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
Requested to lock with PIN, but FIDO2 device /dev/hidraw5 does not support it, disabling.
Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
Generating secret key on FIDO2 security token.
👆 In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img - fido2-device=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
Automatically discovered security FIDO2 token unlocks volume.
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.
$ sudo cryptsetup luksClose volume
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.

# 5: check TPM2 use case:
$ sudo apt install libtss2-rc0 # runtime dependency for TPM usage
$ systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_tis
$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 encrypted.img
🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
New TPM2 token enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img - tpm2-device=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
Automatically discovered security TPM2 token unlocks volume.
# no password needed above!
$ sudo mount /dev/mapper/volume /mnt
$ ls -la /mnt
drwxr-xr-x 3 root root 4096 Jun 7 15:06 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
drwx------ 2 root root 16384 Jun 7 15:06 lost+found
-rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST

# cleanup
$ sudo umount /dev/mapper/volume
$ sudo cryptsetup luksClose volume
$ ls -la /mnt # empty
$ sudo rm encrypted.img

[Where problems could occur]

 * we're enabling a build-flag to allow usage of TPM/FIDO hardware
 * running new code paths in systemd due to enablement of a new feature, could trigger hidden bugs in systemd-cryptsetup, e.g. (un-)locking for encrypted devices
 * new functionality is only active/used if enabled explicitly and suggested runtime dependencies are manually installed

[Other Info]

 * This is not necessarily fall under the HWE SRU policy, as the TPM is already there, but just can't be used via systemd-cryptencroll
 * In a discussion with the SRU team (@vorlon) we agreed that this should be an exception to the rule, due to low regression risk. As long as it would not pull in extra dependencies into the default installation, which it doesn't (new dependencies are only "Suggests:")
 * This will be enabled in Kinetic+ as soon as we merge systemd v251 from Debian: https://salsa.debian.org/systemd-team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8

=== original description ===

systemd-cryptenroll can make use of tpm2 modules to bind against secure boot pcrs and enable auto unlocking of luks devices.

Following the instructions here:
https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll

the following commands fail on ubuntu jammy (5.15.0-25-generic)

root@testbox:~# systemd-cryptenroll --tpm2-device=list
TPM2 not supported on this build.
root@testbox:~# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: ***************
root@testbox:~# echo $?
1

It appears that this issue has been resolved in the debian build for systemd here: https://salsa.debian.org/systemd-team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8

Can we get the same modifications to the Jammy systemd build?

Dean Huffman (deanhuff)
affects: linux (Ubuntu) → systemd (Ubuntu)
description: updated
Nick Rosbrook (enr0n)
tags: added: rls-jj-incoming
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
tags: removed: rls-jj-incoming
Revision history for this message
Patrick Banholzer (patrick-banholzer) wrote (last edit ):

This seems to be a really easy fix in the rules file.

patch for version systemd_249.11-0ubuntu3:

# diff -Naur rules.old rules.new
--- rules.old 2022-03-08 14:53:55.000000000 +0100
+++ rules.new 2022-05-24 16:17:07.548254564 +0200
@@ -84,7 +84,7 @@
  -Dfdisk=false \
  -Dpwquality=false \
  -Dp11kit=false \
- -Dtpm2=false \
+ -Dtpm2=true \
  -Doomd=true \
  -Dsysext=true \
  -Dnscd=true \

Lukas Märdian (slyon)
tags: added: fr-2436
Lukas Märdian (slyon)
Changed in systemd (Ubuntu Kinetic):
assignee: nobody → Nick Rosbrook (enr0n)
Changed in systemd (Ubuntu Jammy):
assignee: nobody → Lukas Märdian (slyon)
Changed in systemd (Ubuntu Kinetic):
importance: Undecided → Medium
Changed in systemd (Ubuntu Jammy):
importance: Undecided → Medium
Changed in systemd (Ubuntu Kinetic):
status: Confirmed → Triaged
Changed in systemd (Ubuntu Jammy):
status: New → Triaged
Lukas Märdian (slyon)
tags: added: block-proposed-jammy
Lukas Märdian (slyon)
description: updated
description: updated
description: updated
description: updated
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

We're combining this SRU with LP: #1964494 (and other autopkgtest related changes) so I'm removing the block-proposed-jammy tag.

tags: removed: block-proposed-jammy
Lukas Märdian (slyon)
Changed in systemd (Ubuntu Jammy):
status: Triaged → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

Please include as part of the test plan a check that:
- there are no new binary dependencies introduced in the package
- systemd-cryptenroll doesn't have any undefined symbols that prevent it from running (a simple 'systemd-cryptenroll --help' suffices for this)
- non-TPM use cases of systemd-cryptenroll have not regressed.

Changed in systemd (Ubuntu Jammy):
status: In Progress → Incomplete
Revision history for this message
Lukas Märdian (slyon) wrote :

Thank you for the review!
Turns out there is a new binary dependency after all: "libssl3", but fortunately that one is already installed by default, so should still be fine.

I've added test-case #1 (binary-depends), #2 (undefined-symbols), #3 (non-tpm/password/recovery-key), #4 (fido2) in addition to the previous test case #5 (tpm2).

PTAL.

description: updated
Changed in systemd (Ubuntu Jammy):
status: Incomplete → In Progress
Revision history for this message
Lukas Märdian (slyon) wrote :

Marking as "In Progress" for Kinetic, as this will be brought in via the systemd v251 merge from Debian unstable, planned for end of June.

Changed in systemd (Ubuntu Kinetic):
status: Triaged → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

> "libssl3", but fortunately that one is already installed by default,
> so should still be fine.

For changes to so fundamental of a package, I think we want to be careful to have a higher standard than just "installed by default".

In fact it is not possible to remove libssl3 from a jammy system without breaking it quite badly.

 - it is a dependency of ubuntu-minimal.
 - it is Priority: required
 - it is transitively essential: yes via login -> libpam-modules -> libnsl2 -> libtirpc3 -> libgssapi-krb5-2 -> libkrb5-3 -> libssl3 (it is unfortunate that this is true and it is not the case in kinetic, but for SRU purposes it works to our advantage).

So I'm good with this from an SRU perspective.

Changed in systemd (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Dean, or anyone else affected,

Accepted systemd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/249.11-0ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Dean Huffman (deanhuff) wrote :

Thank you, I am away on holiday until next wednesday but I will test during the second half of next week

Revision history for this message
Lukas Märdian (slyon) wrote :
Download full text (7.0 KiB)

I've tested systemd 249.11-0ubuntu3.3 from jammy-proposed, all looking good!
$ apt list systemd
Listing... Done
systemd/jammy-proposed,now 249.11-0ubuntu3.3 amd64 [installed]

# 1: only "libssl3" is added as a binary dependency (as expected) plus some new "Suggests":
$ apt-cache depends systemd > new
$ git diff --no-index old new
diff --git a/old b/new
index 3b38cbb..cd28c0c 100644
--- a/old
+++ b/new
@@ -21,6 +21,7 @@ systemd
   Depends: libmount1
   Depends: libpam0g
   Depends: libseccomp2
+ Depends: libssl3
   Depends: libsystemd0
   Depends: util-linux
   Depends: mount
@@ -44,5 +45,9 @@ systemd
     openntpd
     systemd-timesyncd
   Suggests: systemd-container
+ Suggests: libfido2-1
+ Suggests: libtss2-esys-3.0.2-0
+ Suggests: libtss2-mu0
+ Suggests: libtss2-rc0
   Suggests: policykit-1

# 2: systemd-cryptenroll does not crash due to undefined symbols:
$ systemd-cryptenroll --help
systemd-cryptenroll [OPTIONS...] BLOCK-DEVICE

Enroll a security token or authentication credential to a LUKS volume.

  -h --help Show this help
     --version Show package version
     --password Enroll a user-supplied password
     --recovery-key Enroll a recovery key
     --pkcs11-token-uri=URI
                       Specify PKCS#11 security token URI
     --fido2-device=PATH
                       Enroll a FIDO2-HMAC security token
     --fido2-with-client-pin=BOOL
                       Whether to require entering a PIN to unlock the volume
     --fido2-with-user-presence=BOOL
                       Whether to require user presence to unlock the volume
     --fido2-with-user-verification=BOOL
                       Whether to require user verification to unlock the volume
     --tpm2-device=PATH
                       Enroll a TPM2 device
     --tpm2-pcrs=PCR1+PCR2+PCR3+…
                       Specify TPM2 PCRs to seal against
     --wipe-slot=SLOT1,SLOT2,
                       Wipe specified slots

See the systemd-cryptenroll(1) man page for details.
$ echo $?
0

# initial setup
$ dd if=/dev/zero of=encrypted.img bs=1 count=0 seek=100M
0+0 Datensätze ein
0+0 Datensätze aus
0 Bytes kopiert, 0,000629802 s, 0,0 kB/s

$ echo -n "s0s3cur3" | cryptsetup luksFormat encrypted.img -
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: ********
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo mkfs.ext4 /dev/mapper/volume
mke2fs 1.46.5 (30-Dec-2021)
Ein Dateisystem mit 21504 (4k) Blöcken und 21504 Inodes wird erzeugt.

beim Anfordern von Speicher für die Gruppentabellen: erledigt
Inode-Tabellen werden geschrieben: erledigt
Das Journal (1024 Blöcke) wird angelegt: fertig
Die Superblöcke und die Informationen über die Dateisystemnutzung werden
geschrieben: erledigt

$ sudo mount /dev/mapper/volume /mnt
$ sudo touch /mnt/TPM_TEST
$ ls -la /mnt
insgesamt 24
drwxr-xr-x 3 root root 4096 Jun 13 10:56 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
drwx------ 2 root root 16384 Jun 13 10:56 lost+found
-rw-r--r-- 1 root root 0 Jun 13 10:56 TPM_TEST
$ sudo umou...

Read more...

Revision history for this message
Lukas Märdian (slyon) wrote :

autopkgtests passed after re-triggering some.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Patrick Banholzer (patrick-banholzer) wrote (last edit ):

@slyon: how did you install that proposed fix?

Just tried to do a selective upgrade on systemd with jammy-proposed but received unmet dependencies on systemd-sysv:

# apt-get install systemd/jammy-proposed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-proposed [amd64]) for 'systemd'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-proposed [amd64]) for 'libsystemd0' because of 'systemd'
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 init : PreDepends: systemd-sysv
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.

---
apt-mark showhold does not show any held packages

and apt install systemd/jammy-proposed systemd-sysv/jammy-proposed tries to remove 274 essential packages of my kubuntu - this does not seem to be correct.

Revision history for this message
Lukas Märdian (slyon) wrote :

I enabled jammy-proposed in /etc/apt/sources.list and ran "apt update && apt install systemd"

Revision history for this message
Patrick Banholzer (patrick-banholzer) wrote :

ok when not pinning proposed to prio 400 as documented here: https://wiki.ubuntu.com/Testing/EnableProposed it works :-)

Next issue: update-initramfs does not know the keyword tpm2-device as it is listed in the manpage of systemd-cryptenroll
> In order to unlock a LUKS2 volume with an enrolled TPM2 security chip, specify the tpm2-device= option in the respective /etc/crypttab line:
>
> myvolume /dev/sda1 - tpm2-device=auto

this results into:
update-initramfs: Generating /boot/initrd.img-5.17.0-1011-oem
cryptsetup: WARNING: nvme0n1p3_crypt: ignoring unknown option 'tpm2-device'
I: The initramfs will attempt to resume from /dev/dm-2
I: (/dev/mapper/vgkubuntu-swap_1)
I: Set the RESUME variable to override this.

Do you have a suggestion here?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 249.11-0ubuntu3.3

---------------
systemd (249.11-0ubuntu3.3) jammy; urgency=medium

  [ Lukas Märdian ]
  * Build with and suggest fido2 and tpm libraries (LP: #1969375)
    These are used via dlopen only if available by some tools like
    systemd-cryptsetup, systemd-cryptenroll and systemd-repart,
    with graceful fallbacks if they are not found.
    Build-depend on them so that the features get compiled in
    (apart from stage1 builds), and add appropriate Suggests.
    Backport of:
    https://salsa.debian.org/systemd-team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8
    Files:
    - debian/control
    - debian/rules
    - debian/tests/control
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c3f5affb669794f9ebfea8d81c68b1aacdde0511
  * Run tests-in-lxd autopkgtest via LXD snap, deb is no more (LP: #1976607)
    Files:
    - debian/tests/control
    - debian/tests/tests-in-lxd
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=eccfd52b275d1b0544dd44f858bcee8508c0957f

  [ Nick Rosbrook ]
  * d/t/boot-and-services: Ignore failed snap mount units in test_no_failed
    (LP: #1967576)
    Author: Nick Rosbrook
    File: debian/tests/boot-and-services
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cf823bffe5cb47a6eb531d9869f69a844f356376

systemd (249.11-0ubuntu3.2) jammy; urgency=medium

  * d/p/lp1964494-network-do-not-enable-IPv4-ACD-for-IPv4-link-local-a.patch:
    do not enable IPv4 ACD for IPv4 link-local address if ACD is
    disabled explicitly (LP: #1964494)

 -- Lukas Märdian <email address hidden> Tue, 07 Jun 2022 12:49:20 +0200

Changed in systemd (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Dean Huffman (deanhuff) wrote :

@patrick-banholzer I had a little trouble getting things installed from the proposed branch. I added the repository in /etc/apt/sources.list.d/ubuntu-jammy-proposed.list as follows:

# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ jammy-proposed restricted main multiverse universe

next I did: apt update

Like you, when I attempted to add proposed-updates file to /etc/apt/preferences.d I received an error. I ended up deleting that file and installing the new systemd deb via the following:

apt install systemd/jammy-proposed systemd-sysv/jammy-proposed systemd-container/jammy-proposed libnss-systemd/jammy-proposed libpam-systemd/jammy-proposed libnss-mymachines/jammy-proposed systemd-timesyncd/jammy-proposed libtss2-rc0

This provided the following files:

libtss2-rc0 is already the newest version (3.2.0-1ubuntu1).
libtss2-rc0 set to manually installed.
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'systemd'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'libsystemd0' because of 'systemd'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'systemd-sysv'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'systemd-container'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'libnss-systemd'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'libpam-systemd'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'libnss-mymachines'
Selected version '249.11-0ubuntu3.3' (Ubuntu:22.04/jammy-updates, Ubuntu:22.04/jammy-proposed [amd64]) for 'systemd-timesyncd'

Then I proceeded to test and configure systemd-cryptenroll as follows:

root@testbox:~# systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crb
root@testbox:~# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,1 /dev/sda4
🔐 Please enter current passphrase for disk /dev/sda4: ***************
New TPM2 token enrolled as key slot 1.

finally I updated the /etc/crypttab as follows:
root@testbox:~# cat /etc/crypttab
#dm_crypt-0 UUID=6e4e776f-96f2-4124-be2d-95c5bad15c0b none luks
dm_crypt-0 UUID=6e4e776f-96f2-4124-be2d-95c5bad15c0b none tpm2-device=auto

I was also able to update-initramfs:

root@testbox:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
I: The initramfs will attempt to resume from /dev/dm-2
I: (/dev/mapper/vg_system-lv_swap)
I: Set the RESUME variable to override this.

upon reboot, my luks encrypted PV (/dev/mapper/dm_crypt-0) was mounted automatically via TPM with no password required at boot.

Revision history for this message
Christopher Hall (christopher88hall) wrote (last edit ):

root@testbox:~# cat /etc/crypttab
dm_crypt-0 UUID=6e4e776f-96f2-4124-be2d-95c5bad15c0b none tpm2-device=auto

For whatever reason my Cryptsetup does not interpret tpm2-device=auto as a valid option and throws a warning about it. Im not in the proposed though

root@ubuntu:~# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda4
\U0001f510 Please enter current passphrase for disk /dev/sda4: ********
New TPM2 token enrolled as key slot 1.
root@ubuntu:~# cat /etc/crypttab
sda4_crypt UUID=1e25ad74-6f97-46d3-9f1e-e1ed2082f2d7 none tpm2-device=auto
root@ubuntu:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
cryptsetup: WARNING: sda4_crypt: ignoring unknown option 'tpm2-device'
I: The initramfs will attempt to resume from /dev/dm-2
I: (/dev/mapper/vgubuntu-swap_1)
I: Set the RESUME variable to override this.

I also added tpm2-tss to initramfs modules

The systemd-cryptenroll tpm pcr binding worked great though. Bound it to register 7

Revision history for this message
Christopher Hall (christopher88hall) wrote :

@patrick_banholzer

https://answers.launchpad.net/ubuntu/+question/702266

We have narrowed it down to dean's luks being on a non-root parition, and it works properly for non-root partitions.

Initramfs-tools seems to have issues with the tpm2-device option. Knowing it works in fedora, I swapped in Dracut and it built an initrd with that option. All kinds of other stuff didnt work properly and it didnt use the tpm2 to decrypt it, but it didnt complain not knowing what tmp2-device was and discard the option. It seems that its not fully integrated for use on root filesystems yet on ubuntu. I'm not sure what has to change where, but we seemed to have solved one problem to run into another

Revision history for this message
Christopher Hall (christopher88hall) wrote :

Started a different bug report as systemd-cryptenroll is having no issues with this anymore

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1980018

Revision history for this message
Nick Rosbrook (enr0n) wrote :

This was covered in the 251.2-2ubuntu1 release in kinetic, but the changelog did not reference the bug number to indicate this.

Changed in systemd (Ubuntu Kinetic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.