clevis luks bind with tpm2 on Ubuntu server 20.04

[yrien30]

I have installed ubuntu server 20.04 whit luks encrypted root partition on raspberr pi using a script I found here https://github.com/unmanarc/rpi-headless-crypto-installer

I want use clevis to unlock the disk using the tpm slb9670 I have installed on the GPIO.
I install clevis using "sudo apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs" I use the command "sudo clevis luks bind -d /dev/mmcblk0p2 tpm2 '{"pcr_ids":"7"}'" to bind luks to the tpm2. This command seems to run whitout problems but when I restart clevis don't unlock the luks partition.

I was trying to find a way to debug this issue so I tried add debug to /boot/firmware/cmdline.txt and checked the log afterwards in /run/initramfs/initramfs.debug but all I could see there clevis related was :

• /scripts/local-top/clevis
• /scripts/local-bottom/clevis

Annyone that has any idea why this not working or how to debug this?

[sergio-correia]

Can you confirm the tpm kernel modules are loaded? Maybe try something like what is described in #194.

[yrien30]

Can you confirm the tpm kernel modules are loaded? Maybe try something like what is described in #194.

Yes the kernel driver gets loaded and it detects the tpm in initramfs. I thought clevis would print some console messages if it had problem accessing the tpm? I suspect clevis does not detect the password prompt for luks. Do you think that could be the case?

[yrien30]

Could it be the same issue as in #262 ?

[sergio-correia]

Could it be the same issue as in #262 ?

It's possible. Could you try to get some more info, perhaps by removing 2>/dev/null in both https://github.com/latchset/clevis/blob/master/src/initramfs-tools/scripts/local-top/clevis.in#L65 and https://github.com/latchset/clevis/blob/master/src/initramfs-tools/scripts/local-top/clevis.in#L95?

[yrien30]

Get this error msg: ERROR:tcti:src/tss2-tcti/tctildr.c:418:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not load tcti, got: "device:/dev/tpmrm0" Creating TPM2 primary key failed!

[sergio-correia]

This seems like a different issue. What's the output of lsinitramfs /boot/initrd.img-$(uname -r) | grep tcti? You may be missing libtss2-tcti-device.so.0 in the initramfs.

[yrien30]

ubuntu@ubuntu:/lib$ lsinitramfs /boot/initrd.img-$(uname -r) | grep tcti usr/lib/aarch64-linux-gnu/libtss2-tctildr.so.0 usr/lib/aarch64-linux-gnu/libtss2-tctildr.so.0.0.0

[sergio-correia]

Yeah, it's missing there. What's the output of this one? grep tcti /usr/share/initramfs-tools/hooks/clevis? And where is libtss2-tcti-device.so.0 located in this system?

[yrien30]

libtss2-tcti-device.so.0 is located at /lib/aarch64-linux-gnu/

ubuntu@ubuntu:/lib/aarch64-linux-gnu$ grep tcti /usr/share/initramfs-tools/hooks/clevis for _LIBRARY in /usr/local/lib/aarch64-linux-gnu/libtss2-tcti-device.so*; do

[sergio-correia]

Did you build this yourself? if so, try to specify --prefix=/usr when invoking meson and see if it helps.

[yrien30]

Yes was building it myself. After including --prefix=/usr I get libtss2-tcti-device.so.0 in the initramfs. Now there is no error messages in initramfs logs. Still not unlocking the disk though.

[yrien30]

Actually now its working. I did wait long enoufh for it to unlock. Do you think that this was the problem I had whit the offical release also? (--prefix=/usr)

[sergio-correia]

Actually now its working. I did wait long enoufh for it to unlock.

Glad to hear.

Do you think that this was the problem I had whit the offical release also? (--prefix=/usr)

Probably not, as I would expect it to be built with --prefix already, but you can try it again and do the same debugging steps, i.e., check grep tcti /usr/share/initramfs-tools/hooks/clevis and also remove the 2>/dev/null from the calls to clevis decrypt, to look for useful messages.

[yrien30]

After installing clevis whit sudo apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs. It does seem like its missing libtss2-tcti-device.so.0 in the initramfs.

ubuntu@ubuntu:~$ lsinitramfs /boot/initrd.img-$(uname -r) | grep tcti usr/lib/aarch64-linux-gnu/libtss2-tctildr.so.0 usr/lib/aarch64-linux-gnu/libtss2-tctildr.so.0.0.0

ubuntu@ubuntu:~$ grep tcti /usr/share/initramfs-tools/hooks/clevis for _LIBRARY in /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so*; do

libtss2-tcti-device.so.0 is in /usr/lib/aarch64-linux-gnu/

so its looking in the wrong directory...

[yrien30]

For me to get it working I had to build it myself and add tpm_tis_spi to /etc/initramfs-tools/modules. Tried adding manual_add_modules tpm_tis_spi to src/initramfs-tools/hooks/clevis.in but that did't seem to work.

[yrien30]

@sergio-correia Is it possible to add building of clevis for Ubuntu server 20.04 on raspberry pi to your build prosess?