wmcelderry / systemd_with_tpm2

Scripts to enable TPM2 on ubuntu 22.04
GNU General Public License v3.0
57 stars 27 forks source link

Broken in Ubuntu 24.04 #14

Open geppi opened 1 month ago

geppi commented 1 month ago

I had this working under Ubuntu 22.04. BTW thank you for the patched initramfs scripts!

Unfortunately this is broken after upgrading to the latest LTS version Ubuntu 24.04. :-(

First the release upgrade did install a new 'function' and 'cryptroot' script. Therefore unlocking the luks2 partition via TPM fails and I need to make use of the fall back and enter a passphrase. However, it shows the general setup of the rootfs on an encrypted luks2 partition is still OK.

In addition the release upgrade did not carry over the libtss2- packages.

So I did reinstall the libtss2- packages and did manually apply the patches since the new script versions have changed in several places. When booting the system with the initrd.img created from these patched versions I'm stuck in the boot process with:

Set cipher aes, mode xts-plain64, key size is 512 bits for device /dev/nvm0n1p7.

I cannot even unlock the partition with the passphrase anymore when using this initrd.img:

Failed to activate with specified passphrase. (Passphrase incorrect?)

It is a pity that this still doesn't work out of the box with the new LTS release. Especially since it was possible to do it with your patches already 2 years ago.

I did never deal with the creation procedure of the initramfs and therefore would like to ask if anybody with a better knowledge has an idea what's going wrong with the procedure they implemented in Ubuntu 24.04?

geppi commented 1 month ago

Doing a little more research I figured out that Ubuntu now offers the possibility to use full disk encryption FDS with a TPM but it is based on a unified kernel image UKI snap. Therefore I'm afraid that Ubuntu will never get out of the box support for FDS with TPM for deb based kernels and initrd images.

This does even more raise the value of a method to implement it with some patches.

However, I'm a little lost with the Debian initramfs creation tools. Either I just haven't found good documentation on it or it is probably not that well documented. On the other hand I found several sources that seem to have managed to implement TPM based unlocking of an encrypted rootfs with dracut or clevis.

So far I did hesitate to dive deeper into these possibilities because these initramfs builders are not 'natural' in Debian based distros. Most of the sources I found work on Fedora. Maybe it's time to give them a try especially now that an out of the box solution from Ubuntu for the deb based stuff has become more unlikely.

geppi commented 1 month ago

Finally I switched to 'dracut' to create the initramfs image which pretty much works out of the box. The steps were:

sudo apt-get install dracut tpm2-tools

Create the file '/etc/dracut.conf.d/tpm.conf' with content:

hostonly="yes"
add_dracutmodules+=" tpm2-tss "

Take care that the required crypttab entries will be included in the initramfs image:

sudo cp /etc/crypttab /etc/crypttab.initramfs

Finally create the initramfs image for the running kernel:

sudo dracut -f

This did enable unlocking the encryted LUKS partition with the volume group containing rootfs and swap during boot via the TPM.

BoskyWSMFN commented 1 month ago

Thanks for the dracut instruction. To be honest this approach looks easier than patching systemd scripts. And more stable since systemd updates revert patches. However, my fork with Poulpatine's and wmcelderry's patches works on Ubuntu 24.04 including based on it distros.

selcem-artan commented 1 week ago

@geppi while enrolling LUKS passphrase to TPM, did you use systemd also? And do you still use "--tpm2-device=auto" option while enroll? In that case did you set tpm2-device=auto or tpm2-tts in /etc/crypttab? I also wonder whether secure boot enable/disable effects your implementation?

BoskyWSMFN commented 1 week ago

@geppi while enrolling LUKS passphrase to TPM, did you use systemd also? And do you still use "--tpm2-device=auto" option while enroll? In that case did you set tpm2-device=auto or tpm2-tts in /etc/crypttab? I also wonder whether secure boot enable/disable effects your implementation?

I used systemd-cryptenroll with "tpm2-device=auto" and "tpm2-pcrs=0+7" options. You can read about pcrs here. Crypttab however should only contain "tpm2-device=auto" option. Try my fork if you use systemd to unlock but the description above also works for dracut.

selcem-artan commented 1 week ago

@BoskyWSMFN thanks , this worked. I used default PCR 7 only to avoid changes on register values which may happen with firmware, kernel updates etc. I am planning to run "chattr +i " on these updated config files to prevent TPM to be broken with package upgrades on initramfs-tools etc.

BoskyWSMFN commented 1 week ago

@BoskyWSMFN thanks , this worked. I used default PCR 7 only to avoid changes on register values which may happen with firmware, kernel updates etc. I am planning to run "chattr +i " on these updated config files to prevent TPM to be broken with package upgrades on initramfs-tools etc.

Great idea with chattr! I gotta say however that patched scripts only updates with systemd package upgrade so apt halt should be enough.