wmcelderry / systemd_with_tpm2

Scripts to enable TPM2 on ubuntu 22.04
GNU General Public License v3.0
57 stars 27 forks source link

Broken in Ubuntu 24.04 #14

Open geppi opened 3 weeks ago

geppi commented 3 weeks ago

I had this working under Ubuntu 22.04. BTW thank you for the patched initramfs scripts!

Unfortunately this is broken after upgrading to the latest LTS version Ubuntu 24.04. :-(

First the release upgrade did install a new 'function' and 'cryptroot' script. Therefore unlocking the luks2 partition via TPM fails and I need to make use of the fall back and enter a passphrase. However, it shows the general setup of the rootfs on an encrypted luks2 partition is still OK.

In addition the release upgrade did not carry over the libtss2- packages.

So I did reinstall the libtss2- packages and did manually apply the patches since the new script versions have changed in several places. When booting the system with the initrd.img created from these patched versions I'm stuck in the boot process with:

Set cipher aes, mode xts-plain64, key size is 512 bits for device /dev/nvm0n1p7.

I cannot even unlock the partition with the passphrase anymore when using this initrd.img:

Failed to activate with specified passphrase. (Passphrase incorrect?)

It is a pity that this still doesn't work out of the box with the new LTS release. Especially since it was possible to do it with your patches already 2 years ago.

I did never deal with the creation procedure of the initramfs and therefore would like to ask if anybody with a better knowledge has an idea what's going wrong with the procedure they implemented in Ubuntu 24.04?

geppi commented 3 weeks ago

Doing a little more research I figured out that Ubuntu now offers the possibility to use full disk encryption FDS with a TPM but it is based on a unified kernel image UKI snap. Therefore I'm afraid that Ubuntu will never get out of the box support for FDS with TPM for deb based kernels and initrd images.

This does even more raise the value of a method to implement it with some patches.

However, I'm a little lost with the Debian initramfs creation tools. Either I just haven't found good documentation on it or it is probably not that well documented. On the other hand I found several sources that seem to have managed to implement TPM based unlocking of an encrypted rootfs with dracut or clevis.

So far I did hesitate to dive deeper into these possibilities because these initramfs builders are not 'natural' in Debian based distros. Most of the sources I found work on Fedora. Maybe it's time to give them a try especially now that an out of the box solution from Ubuntu for the deb based stuff has become more unlikely.

geppi commented 3 weeks ago

Finally I switched to 'dracut' to create the initramfs image which pretty much works out of the box. The steps were:

sudo apt-get install dracut tpm2-tools

Create the file '/etc/dracut.conf.d/tpm.conf' with content:

hostonly="yes"
add_dracutmodules+=" tpm2-tss "

Take care that the required crypttab entries will be included in the initramfs image:

sudo cp /etc/crypttab /etc/crypttab.initramfs

Finally create the initramfs image for the running kernel:

sudo dracut -f

This did enable unlocking the encryted LUKS partition with the volume group containing rootfs and swap during boot via the TPM.

BoskyWSMFN commented 3 weeks ago

Thanks for the dracut instruction. To be honest this approach looks easier than patching systemd scripts. And more stable since systemd updates revert patches. However, my fork with Poulpatine's and wmcelderry's patches works on Ubuntu 24.04 including based on it distros.