Open geppi opened 1 month ago
Doing a little more research I figured out that Ubuntu now offers the possibility to use full disk encryption FDS with a TPM but it is based on a unified kernel image UKI snap. Therefore I'm afraid that Ubuntu will never get out of the box support for FDS with TPM for deb based kernels and initrd images.
This does even more raise the value of a method to implement it with some patches.
However, I'm a little lost with the Debian initramfs creation tools. Either I just haven't found good documentation on it or it is probably not that well documented. On the other hand I found several sources that seem to have managed to implement TPM based unlocking of an encrypted rootfs with dracut or clevis.
So far I did hesitate to dive deeper into these possibilities because these initramfs builders are not 'natural' in Debian based distros. Most of the sources I found work on Fedora. Maybe it's time to give them a try especially now that an out of the box solution from Ubuntu for the deb based stuff has become more unlikely.
Finally I switched to 'dracut' to create the initramfs image which pretty much works out of the box. The steps were:
sudo apt-get install dracut tpm2-tools
Create the file '/etc/dracut.conf.d/tpm.conf' with content:
hostonly="yes"
add_dracutmodules+=" tpm2-tss "
Take care that the required crypttab entries will be included in the initramfs image:
sudo cp /etc/crypttab /etc/crypttab.initramfs
Finally create the initramfs image for the running kernel:
sudo dracut -f
This did enable unlocking the encryted LUKS partition with the volume group containing rootfs and swap during boot via the TPM.
Thanks for the dracut instruction. To be honest this approach looks easier than patching systemd scripts. And more stable since systemd updates revert patches. However, my fork with Poulpatine's and wmcelderry's patches works on Ubuntu 24.04 including based on it distros.
@geppi while enrolling LUKS passphrase to TPM, did you use systemd also? And do you still use "--tpm2-device=auto" option while enroll? In that case did you set tpm2-device=auto or tpm2-tts in /etc/crypttab? I also wonder whether secure boot enable/disable effects your implementation?
@geppi while enrolling LUKS passphrase to TPM, did you use systemd also? And do you still use "--tpm2-device=auto" option while enroll? In that case did you set tpm2-device=auto or tpm2-tts in /etc/crypttab? I also wonder whether secure boot enable/disable effects your implementation?
I used systemd-cryptenroll with "tpm2-device=auto" and "tpm2-pcrs=0+7" options. You can read about pcrs here. Crypttab however should only contain "tpm2-device=auto" option. Try my fork if you use systemd to unlock but the description above also works for dracut.
@BoskyWSMFN thanks , this worked. I used default PCR 7 only to avoid changes on register values which may happen with firmware, kernel updates etc. I am planning to run "chattr +i " on these updated config files to prevent TPM to be broken with package upgrades on initramfs-tools etc.
@BoskyWSMFN thanks , this worked. I used default PCR 7 only to avoid changes on register values which may happen with firmware, kernel updates etc. I am planning to run "chattr +i " on these updated config files to prevent TPM to be broken with package upgrades on initramfs-tools etc.
Great idea with chattr! I gotta say however that patched scripts only updates with systemd package upgrade so apt halt should be enough.
I had this working under Ubuntu 22.04. BTW thank you for the patched initramfs scripts!
Unfortunately this is broken after upgrading to the latest LTS version Ubuntu 24.04. :-(
First the release upgrade did install a new 'function' and 'cryptroot' script. Therefore unlocking the luks2 partition via TPM fails and I need to make use of the fall back and enter a passphrase. However, it shows the general setup of the rootfs on an encrypted luks2 partition is still OK.
In addition the release upgrade did not carry over the libtss2- packages.
So I did reinstall the libtss2- packages and did manually apply the patches since the new script versions have changed in several places. When booting the system with the initrd.img created from these patched versions I'm stuck in the boot process with:
Set cipher aes, mode xts-plain64, key size is 512 bits for device /dev/nvm0n1p7.
I cannot even unlock the partition with the passphrase anymore when using this initrd.img:
Failed to activate with specified passphrase. (Passphrase incorrect?)
It is a pity that this still doesn't work out of the box with the new LTS release. Especially since it was possible to do it with your patches already 2 years ago.
I did never deal with the creation procedure of the initramfs and therefore would like to ask if anybody with a better knowledge has an idea what's going wrong with the procedure they implemented in Ubuntu 24.04?