search

tpm2-software / tpm2-totp

Attest the trustworthiness of a device against a human using time-based one-time passwords
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
159 stars 35 forks source link

TOTP code not shown by Debian 12 running cryptroot-unlock #103

Open 0x6d61726b opened 1 year ago

0x6d61726b commented 1 year ago

I am experimenting with Debian 12 (bookworm) and measured boot. For that, I have compiled (current latest revision 826c103) and initialized tpm2-totp successfully.

./configure --sysconfdir=/etc --prefix /usr
make -j$(nproc)
make install
tpm2-totp init

When requesting the TOTP value with tpm2-totp show -t I get the correct value 2023-05-06 16:45:06: 005163root@vmware ~ #. I also have installed plymouth that gets also added to the initramfs.

When trying to unlock the encrypted disk from initramfs, however the TOTP values are not shown until the LUKS password was entered locally, which is not what is the intended use of measured boot. ;-)

When logging in via dropbear TOTP values are also not displayed automatically. However, having tpm2-totp added to the initramfs, the correct TOTP values are displayed. The execution of plymouth-tpm2-totp -t from command prompt blocks, but does not output any text on the following line (cursor stays on line start):

~ # plymouth-tpm2-totp -t

Here is a screenshot of the output when operating on console (not via dropbear; roughly waited 5 minutes until LUKS password was entered): tpm2-totp-initramfs

Just for completion, the built Debian package is here (.zip file because Github doesn't support extension .deb): tpm2-totp_0.3.0+git20230105.826c103-1.deb.zip

Does anyone have an idea what I am doing wrong? May this be related to #92?