guruevi
commented
2 hours ago Here are the changes I made to the various files to get it back to work for Ubuntu 24:
Install tpm2-initramfs-tool and tpm2-tools Note that tpm2-initramfs-tool is another option to store the password and unlock on boot time, I haven't tried this option yet, since I'm using systemd-cryptenroll to seal the TPM against SecureBoot. https://github.com/timchen119/tpm2-initramfs-tool
Copy the https://github.com/wmcelderry/systemd_with_tpm2/blob/main/scripts/systemd_cryptsetup_hook to /etc/initramfs-tools/hooks and chmod a+x
diff cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot
158c158
< if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
---
> if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && ( [ -n "${CRYPTTAB_OPTION_tpm2_device}" ] || [ "$CRYPTTAB_KEY" != "none" ] ); thenand
diff cryptsetup_functions /usr/lib/cryptsetup/functions
66a67
> CRYPTTAB_OPTION_tpm2_device \
162a164
> tpm2-device) OPTION="tpm2_device";;
226a229,231
> tpm2-device)
> [ -n "${VALUE+x}" ] || return 1 # must have a value
> ;;
360a366
> if [[ -z "${CRYPTTAB_OPTION_tpm2_device}" ]] ; then
382a389,391
> else
> /lib/systemd/systemd-cryptsetup attach "${CRYPTTAB_NAME}" "${CRYPTTAB_SOURCE}" "${keyfile}" "tpm2-device=${CRYPTTAB_OPTION_tpm2_device}"
> fithen
systemd-cryptenroll /dev/?da3 --tpm2-device=auto # TPM7 (Secure Boot) is implied
sed -i 's%$%,tpm2-device=auto%' /etc/crypttab
update-initramfs -u
I used cloud-init for generation of ubuntu 22.04.05 image and I am able to systemd-cryptenroll succesfully. So, I tried to apply only patches installation and hooks script. Unfortunately patch install returns error.