TPM2 / Systemd / LUKS

Developer Discussion
1

Hi!

Cool, I noticed that recently TPM2 must have been added to systemd. I did not see much discussion or info around it, where could I find some info about the reason or future vision of this change?

I would like to set up a system with an encrypted drive, auto unlocking via TPM2 / Systemd.
Is there some info on how to set up such an environment?

One thing I currently wonder about is if I have to create a new initrd. But there I struggle on how this
should look like on clear linux with the EFI boot partition / clr-boot-manager / dracut and such.

# date
Wed Oct  4 09:53:13 PM UTC 2023
# swupd info
Distribution:      Clear Linux OS
Installed version: 40050
Version URL:       https://cdn.download.clearlinux.org/update
Content URL:       https://cdn.download.clearlinux.org/update

# systemctl --version
systemd 252 (252)
+PAM +AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 -IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK -PCRE2 +PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 -LZ4 -XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=hybrid
3 Likes
2

@ahkok @pixelgeek any input on that?

I managed at least to auto unlock a non root partition via tpm, but till now I did not manage to do it with the root partition. When I look at other distris guides it points to the initrd and dracut. But looking in
What is the best practice to customize initrd? it seems to point that features should be solved central.

What is needed / missing to get luks2 root auto unlock on boot with tpm2 going?

3

Have you already added the bundle bootloader-extras? It adds an initrd weā€™ve already created. See GitHub - clearlinux/clr-init: Initrd created using systemd as init program for more details.

4

hi, yes, that is already present, these are the bundles which are installed:

boot-encrypted, bootloader-extras, clr-installer, cryptoprocessor-management, devpkg-tpm2-abrmd, devpkg-tpm2-tss, iftop, NetworkManager, openssh-server, os-core-update, os-core, storage-utils, sysadmin-basic, sysadmin-hostmgmt, time-server-basic, vim

./EFI/org.clearlinux:
total 73356
drwxr-xr-x 2 root root 4096 Oct 31 00:39 .
drwxr-xr-x 4 root root 4096 Oct 28 20:55 ..
-rwxr-xr-x 1 root root 934410 Oct 31 00:39 **bootloaderx64.efi**
-rwxr-xr-x 1 root root 13098496 Oct 28 20:55 **freestanding-00-early-ucode.cpio**
-rwxr-xr-x 1 root root 25534403 Oct 28 20:55 **freestanding-clr-init.cpio.gz**
-rwxr-xr-x 1 root root 3363988 Oct 28 20:55 **freestanding-i915-firmware.cpio.xz**
-rwxr-xr-x 1 root root 103244 Oct 28 20:55 **initrd-org.clearlinux.native.6.5.9-1373**
-rwxr-xr-x 1 root root 103120 Oct 31 00:39 **initrd-org.clearlinux.native.6.5.9-1374**
-rwxr-xr-x 1 root root 15901472 Oct 28 20:55 **kernel-org.clearlinux.native.6.5.9-1373**
-rwxr-xr-x 1 root root 15901536 Oct 31 00:39 **kernel-org.clearlinux.native.6.5.9-1374**
-rwxr-xr-x 1 root root 145395 Oct 31 00:39 **loaderx64.efi**
5

@btwarden any other comment? I tried the latest version but I still did not manage to boot.
Which initrd is added and do I manually need to refer to it or should it be present already?
To me it looks I would need: tpm_crb tpm_infineon tpm_tis tpm_tis_core and at least tpm_tis
might be missing?

I see the log of the boot shows at least
Feb 13 00:12:07 hostname systemd-tpm2-setup[446]: ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
Feb 13 00:12:07 hostname systemd-tpm2-setup[446]: Failed to create TPM2 context: State not recoverable

An other thing I wonder is what the options root=UUID=39d24141-c3ec-4829-a537-0cae06dac7f7
is pointing to

/boot/EFI # ls -laR /boot/
/boot/:
total 16
drwxr-xr-x 4 root root 4096 Jan 1 1970 .
drwxr-xr-x 18 root root 4096 Feb 12 23:58 ā€¦
drwxr-xr-x 4 root root 4096 Feb 13 00:02 EFI
drwxr-xr-x 3 root root 4096 Feb 13 00:02 loader

/boot/EFI:
total 16
drwxr-xr-x 4 root root 4096 Feb 13 00:02 .
drwxr-xr-x 4 root root 4096 Jan 1 1970 ā€¦
drwxr-xr-x 2 root root 4096 Feb 13 00:02 BOOT
drwxr-xr-x 2 root root 4096 Feb 13 00:02 org.clearlinux

/boot/EFI/BOOT:
total 136
drwxr-xr-x 2 root root 4096 Feb 13 00:02 .
drwxr-xr-x 4 root root 4096 Feb 13 00:02 ā€¦
-rwxr-xr-x 1 root root 129536 Feb 13 00:02 BOOTX64.EFI

/boot/EFI/org.clearlinux:
total 70300
drwxr-xr-x 2 root root 4096 Feb 13 00:02 .
drwxr-xr-x 4 root root 4096 Feb 13 00:02 ā€¦
-rwxr-xr-x 1 root root 934410 Feb 13 00:02 bootloaderx64.efi
-rwxr-xr-x 1 root root 12553728 Feb 13 00:02 freestanding-00-early-ucode.cpio
-rwxr-xr-x 1 root root 38665256 Feb 13 00:02 freestanding-clr-init.cpio.gz
-rwxr-xr-x 1 root root 3473516 Feb 13 00:02 freestanding-i915-firmware.cpio.xz
-rwxr-xr-x 1 root root 103408 Feb 13 00:02 initrd-org.clearlinux.native.6.7.4-1406
-rwxr-xr-x 1 root root 16105472 Feb 13 00:02 kernel-org.clearlinux.native.6.7.4-1406
-rwxr-xr-x 1 root root 129536 Feb 13 00:02 loaderx64.efi

/boot/loader:
total 16
drwxr-xr-x 3 root root 4096 Feb 13 00:02 .
drwxr-xr-x 4 root root 4096 Jan 1 1970 ā€¦
drwxr-xr-x 2 root root 4096 Feb 13 00:02 entries
-rwxr-xr-x 1 root root 43 Feb 13 00:02 loader.conf

/boot/loader/entries:
total 12
drwxr-xr-x 2 root root 4096 Feb 13 00:02 .
drwxr-xr-x 3 root root 4096 Feb 13 00:02 ā€¦
-rwxr-xr-x 1 root root 760 Feb 13 00:02 Clear-linux-native-6.7.4-1406.conf

cat /boot/loader/entries/Clear-linux-native-6.7.4-1406.conf

title Clear Linux OS
linux /EFI/org.clearlinux/kernel-org.clearlinux.native.6.7.4-1406
initrd /EFI/org.clearlinux/freestanding-00-early-ucode.cpio
initrd /EFI/org.clearlinux/initrd-org.clearlinux.native.6.7.4-1406
initrd /EFI/org.clearlinux/freestanding-clr-init.cpio.gz
initrd /EFI/org.clearlinux/freestanding-i915-firmware.cpio.xz
options root=UUID=39d24141-c3ec-4829-a537-0cae06dac7f7 rd.luks.uuid=235e3207-2055-4204-a68a-618b52615297 console=tty0 console=ttyS0,115200n8 cryptomgr.notests init=/usr/bin/initra-desktop initcall_debug intel_iommu=igfx_off kvm-intel.nested=1 no_timer_check noreplace-smp page_alloc.shuffle=1 rcupdate.rcu_expedited=1 rootfstype=ext4,btrfs,xfs,f2fs tsc=reliable rw nomodeset i915.modeset=0 rootflags=x-systemd.device-timeout=0

lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,UUID

NAME FSTYPE SIZE MOUNT UUID
sda 953.9G
ā”œā”€sda1 vfat 1022M /boot F515-9574
ā””ā”€sda2 crypto_LUKS 200G 235e3207-2055-4204-a68a-618b52615297
ā””ā”€luks-235e3207-2055-4204-a68a-618b52615297 200G /

journalctl |grep \ 00:12:|grep -i tpm

Feb 13 00:12:07 hostname systemd-modules-load[442]: Module ā€˜tpmā€™ is built in
Feb 13 00:12:07 hostname systemd-modules-load[442]: Inserted module ā€˜tpm_infineonā€™
Feb 13 00:12:07 hostname systemd[1]: Starting systemd-tpm2-setup-early.serviceā€¦
Feb 13 00:12:07 hostname kernel: calling tpm_inf_pnp_driver_init+0x0/0xfc0 [tpm_infineon] @ 442
Feb 13 00:12:07 hostname kernel: initcall tpm_inf_pnp_driver_init+0x0/0xfc0 [tpm_infineon] returned 0 after 21 usecs
Feb 13 00:12:07 hostname kernel: calling init_tis+0x0/0xfc0 [tpm_tis] @ 442
Feb 13 00:12:07 hostname systemd-tpm2-setup[446]: ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
Feb 13 00:12:07 hostname systemd-tpm2-setup[446]: Failed to create TPM2 context: State not recoverable
Feb 13 00:12:07 hostname kernel: tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 22)
Feb 13 00:12:07 hostname systemd[1]: systemd-tpm2-setup-early.service: Main process exited, code=exited, status=1/FAILURE
Feb 13 00:12:07 hostname systemd[1]: systemd-tpm2-setup-early.service: Failed with result ā€˜exit-codeā€™.
Feb 13 00:12:07 hostname systemd[1]: Failed to start systemd-tpm2-setup-early.service.
Feb 13 00:12:07 hostname systemd[1]: systemd-tpm2-setup.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Feb 13 00:12:07 hostname systemd-modules-load[442]: Inserted module ā€˜tpm_tisā€™
Feb 13 00:12:07 hostname kernel: initcall init_tis+0x0/0xfc0 [tpm_tis] returned 0 after 35052 usecs
Feb 13 00:12:07 hostname kernel: calling crb_acpi_driver_init+0x0/0xfc0 [tpm_crb] @ 442
Feb 13 00:12:07 hostname kernel: initcall crb_acpi_driver_init+0x0/0xfc0 [tpm_crb] returned 0 after 18136 usecs
Feb 13 00:12:07 hostname systemd-modules-load[442]: Inserted module ā€˜tpm_crbā€™

6

OK, from this it looks like we just need to make sure the TPM drivers are available at boot. Iā€™ve built them into the kernel (instead of as modules in the root filesystem you need to decrypt) as of linux-6.7.4-1409, so give that a try once itā€™s available.

7

@btwarden ok, cool, thx! If I see it right its in staging / 41050

I tried and do not get the error message in the log anymore, but it still does not succeed with auto unlocking. As said, I have no problem if it is for example /opt (did not retest with the new version though,
but that happened after the root partition was mounted.

I tried to measure into different PCR, I tried 5 (which I used before with /opt) or a combination, like:
sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs ā€œ0+1+2+3+4+5+7+9ā€ /dev/sda2

Are there any other requirements which have to be in place? Secure boot is off if this is relevant.

I also noticed in dmesg:
(sounds like https://bugs.archlinux.org/task/55535)

[Sat Feb 17 20:01:48 2024] systemd[1]: initrd-root-device.target: Wants dependency dropin /usr/lib/systemd/system/initrd-root-device.target.wants/remote-cryptsetup.target is not a symlink, ignoring.
[Sat Feb 17 20:01:48 2024] systemd[1]: initrd-root-device.target: Wants dependency dropin /usr/lib/systemd/system/initrd-root-device.target.wants/remote-veritysetup.target is not a symlink, ignoring.

also errors like: (see the extract further down for more)
Feb 17 20:01:50 hostname systemd[1]: systemd-tpm2-setup.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).

I thinnk the password prompt was entered around 20:01:54

I could not attach text files with the full output here, in case one want to see them:
journald: https://pastebin.com/raw/b5pK0WrA
dmesg: https://pastebin.com/raw/ABDRss6F

some extract: (cave, this is a concat of dmesg and journald which is sorted, so the order within a second might not be correct, please look at the above links for the actual output)

% ( curl -s https://pastebin.com/raw/ABDRss6F ; curl -s https://pastebin.com/raw/b5pK0WrA )|sed "s/\[Sat //" |sort| grep -iE "tpm|crypt|pass|sda|luks|uki|secu|mount|root"
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd-tty-ask-password-agent[320]: Starting password query on /dev/tty1.
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd-tty-ask-password-agent[321]: Starting password query on /dev/ttyS0.
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Finished lvm2-mount-sysroot.service.
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Finished systemd-remount-fs.service.
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Mounted tmp.mount.
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Started systemd-ask-password-console.service.
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Starting systemd-cryptsetup@luks\x2d235e3207\x2d2055\x2d4204\x2da68a\x2d618b52615297.service...
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Starting systemd-remount-fs.service...
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: lvm2-mount-sysroot.service: Deactivated successfully.
Feb 17 20:01:45 2024] pci 0000:00:1c.7: PTM enabled (root), 4ns granularity
Feb 17 20:01:46 2024] Trying to unpack rootfs image as initramfs...
Feb 17 20:01:46 2024] calling  populate_rootfs+0x0/0xc0 @ 1
Feb 17 20:01:46 2024] calling  safesetid_init_securityfs+0x0/0x100 @ 1
Feb 17 20:01:46 2024] calling  tpm_init+0x0/0x100 @ 1
Feb 17 20:01:46 2024] initcall populate_rootfs+0x0/0xc0 returned 0 after 3 usecs
Feb 17 20:01:46 2024] initcall safesetid_init_securityfs+0x0/0x100 returned 0 after 4 usecs
Feb 17 20:01:46 2024] iommu: Default domain type: Passthrough
Feb 17 20:01:47 2024]  sda: sda1 sda2
Feb 17 20:01:47 2024] SGI XFS with ACLs, security attributes, realtime, no debug enabled
Feb 17 20:01:47 2024] calling  tpm_inf_pnp_driver_init+0x0/0x40 @ 1
Feb 17 20:01:47 2024] calling  tpm_tis_i2c_driver_init+0x0/0x40 @ 1
Feb 17 20:01:47 2024] calling  tpm_tis_i2c_driver_init+0x0/0x40 @ 1
Feb 17 20:01:47 2024] calling  tpm_tis_spi_driver_init+0x0/0x40 @ 1
Feb 17 20:01:47 2024] initcall tpm_inf_pnp_driver_init+0x0/0x40 returned 0 after 4 usecs
Feb 17 20:01:47 2024] initcall tpm_tis_i2c_driver_init+0x0/0x40 returned 0 after 3 usecs
Feb 17 20:01:47 2024] initcall tpm_tis_i2c_driver_init+0x0/0x40 returned 0 after 3 usecs
Feb 17 20:01:47 2024] initcall tpm_tis_spi_driver_init+0x0/0x40 returned 0 after 3 usecs
Feb 17 20:01:47 2024] sd 1:0:0:0: [sda] 2000409264 512-byte logical blocks: (1.02 TB/954 GiB)
Feb 17 20:01:47 2024] sd 1:0:0:0: [sda] Attached SCSI disk
Feb 17 20:01:47 2024] sd 1:0:0:0: [sda] Mode Sense: 00 3a 00 00
Feb 17 20:01:47 2024] sd 1:0:0:0: [sda] Preferred minimum I/O size 512 bytes
Feb 17 20:01:47 2024] sd 1:0:0:0: [sda] Write Protect is off
Feb 17 20:01:47 2024] sd 1:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Feb 17 20:01:47 2024] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 22)
Feb 17 20:01:48 2024] Freeing unused decrypted memory: 2028K
Feb 17 20:01:48 2024] Key type .fscrypt registered
Feb 17 20:01:48 2024] Key type encrypted registered
Feb 17 20:01:48 2024] Key type fscrypt-provisioning registered
Feb 17 20:01:48 2024] calling  crypto_algapi_init+0x0/0xc0 @ 1
Feb 17 20:01:48 2024] calling  crypto_kdf108_init+0x0/0x180 @ 1
Feb 17 20:01:48 2024] calling  dm_crypt_init+0x0/0x40 @ 1
Feb 17 20:01:48 2024] calling  fscrypt_init+0x0/0xc0 @ 1
Feb 17 20:01:48 2024] calling  init_encrypted+0x0/0x100 @ 1
Feb 17 20:01:48 2024] calling  init_root_keyring+0x0/0x40 @ 1
Feb 17 20:01:48 2024] calling  kernel_do_mounts_initrd_sysctls_init+0x0/0x40 @ 1
Feb 17 20:01:48 2024] calling  virtio_crypto_driver_init+0x0/0x40 @ 1
Feb 17 20:01:48 2024] initcall crypto_algapi_init+0x0/0xc0 returned 0 after 2852 usecs
Feb 17 20:01:48 2024] initcall crypto_kdf108_init+0x0/0x180 returned 0 after 1150 usecs
Feb 17 20:01:48 2024] initcall dm_crypt_init+0x0/0x40 returned 0 after 12 usecs
Feb 17 20:01:48 2024] initcall fscrypt_init+0x0/0xc0 returned 0 after 10309 usecs
Feb 17 20:01:48 2024] initcall init_encrypted+0x0/0x100 returned 0 after 13031 usecs
Feb 17 20:01:48 2024] initcall init_root_keyring+0x0/0x40 returned 0 after 14 usecs
Feb 17 20:01:48 2024] initcall kernel_do_mounts_initrd_sysctls_init+0x0/0x40 returned 0 after 4 usecs
Feb 17 20:01:48 2024] initcall virtio_crypto_driver_init+0x0/0x40 returned 0 after 7 usecs
Feb 17 20:01:48 2024] sdhci: Secure Digital Host Controller Interface driver
Feb 17 20:01:48 2024] systemd[1]: Created slice system-systemd\x2dcryptsetup.slice.
Feb 17 20:01:48 2024] systemd[1]: Mounting tmp.mount...
Feb 17 20:01:48 2024] systemd[1]: Started systemd-ask-password-console.path.
Feb 17 20:01:48 2024] systemd[1]: initrd-root-device.target: Wants dependency dropin /usr/lib/systemd/system/initrd-root-device.target.wants/remote-cryptsetup.target is not a symlink, ignoring.
Feb 17 20:01:48 2024] systemd[1]: initrd-root-device.target: Wants dependency dropin /usr/lib/systemd/system/initrd-root-device.target.wants/remote-veritysetup.target is not a symlink, ignoring.
Feb 17 20:01:48 2024] systemd[1]: systemd 252 running in system mode (+PAM +AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 -IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK -PCRE2 +PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 -LZ4 -XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=hybrid)
Feb 17 20:01:48 clr-9d87827416c04c8c9cf131822c88c28d systemd-cryptsetup[314]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/235e3207-2055-4204-a68a-618b52615297.
Feb 17 20:01:48 clr-9d87827416c04c8c9cf131822c88c28d systemd-tty-ask-password-agent[320]: Password query on /dev/tty1 finished successfully.
Feb 17 20:01:49 2024] systemd[1]: Starting lvm2-mount-sysroot.service...
Feb 17 20:01:49 2024] systemd[1]: Starting systemd-remount-fs.service...
Feb 17 20:01:49 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Finished systemd-cryptsetup@luks\x2d235e3207\x2d2055\x2d4204\x2da68a\x2d618b52615297.service.
Feb 17 20:01:49 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Reached target cryptsetup.target.
Feb 17 20:01:49 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Reached target initrd-root-device.target.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d kernel: EXT4-fs (dm-0): mounted filesystem 39d24141-c3ec-4829-a537-0cae06dac7f7 r/w with ordered data mode. Quota mode: disabled.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Mounted sysroot.mount.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Mounting sysroot.mount...
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Reached target initrd-root-fs.target.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Reached target initrd-switch-root.target.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Starting initrd-switch-root.service...
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Stopped systemd-ask-password-console.path.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Stopped systemd-ask-password-console.service.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Stopped systemd-remount-fs.service.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Stopped target cryptsetup.target.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Stopped target initrd-root-device.target.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Stopping systemd-ask-password-console.service...
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: Switching root.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: run-credentials-systemd\x2dtmpfiles\x2dsetup.service.mount: Deactivated successfully.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: systemd-ask-password-console.path: Deactivated successfully.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: systemd-ask-password-console.service: Deactivated successfully.
Feb 17 20:01:50 clr-9d87827416c04c8c9cf131822c88c28d systemd[1]: systemd-remount-fs.service: Deactivated successfully.
Feb 17 20:01:50 hostname systemd-modules-load[444]: Module 'tpm' is built in
Feb 17 20:01:50 hostname systemd-modules-load[444]: Module 'tpm_crb' is built in
Feb 17 20:01:50 hostname systemd-modules-load[444]: Module 'tpm_infineon' is built in
Feb 17 20:01:50 hostname systemd-modules-load[444]: Module 'tpm_tis' is built in
Feb 17 20:01:50 hostname systemd[1]: Finished systemd-remount-fs.service.
Feb 17 20:01:50 hostname systemd[1]: Mounted dev-hugepages.mount.
Feb 17 20:01:50 hostname systemd[1]: Mounted dev-mqueue.mount.
Feb 17 20:01:50 hostname systemd[1]: Mounted sys-fs-fuse-connections.mount.
Feb 17 20:01:50 hostname systemd[1]: Mounted sys-kernel-config.mount.
Feb 17 20:01:50 hostname systemd[1]: Mounted sys-kernel-debug.mount.
Feb 17 20:01:50 hostname systemd[1]: Mounted sys-kernel-tracing.mount.
Feb 17 20:01:50 hostname systemd[1]: Mounting sys-fs-fuse-connections.mount...
Feb 17 20:01:50 hostname systemd[1]: Mounting sys-kernel-config.mount...
Feb 17 20:01:50 hostname systemd[1]: Starting systemd-remount-fs.service...
Feb 17 20:01:50 hostname systemd[1]: systemd-tpm2-setup-early.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Feb 17 20:01:50 hostname systemd[1]: systemd-tpm2-setup.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Feb 17 20:01:51 hostname systemd-tmpfiles[487]: /usr/lib/tmpfiles.d/provision.conf:20: Duplicate line for path "/root", ignoring.
Feb 17 20:01:51 hostname systemd[1]: Mounted tmp.mount.
Feb 17 20:01:51 hostname systemd[1]: Mounting tmp.mount...
Feb 17 20:01:51 hostname systemd[1]: systemd-machine-id-commit.service was skipped because of an unmet condition check (ConditionPathIsMountPoint=/etc/machine-id).
Feb 17 20:01:51 hostname systemd[1]: systemd-pcrphase-sysinit.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Feb 17 20:01:51 hostname systemd[1]: systemd-pcrphase.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Feb 17 20:01:51 hostname systemd[1]: var-lib-machines.mount was skipped because of an unmet condition check (ConditionPathExists=/var/lib/machines.raw).
Feb 17 20:01:54 2024] EXT4-fs (dm-0): mounted filesystem 39d24141-c3ec-4829-a537-0cae06dac7f7 r/w with ordered data mode. Quota mode: disabled.
Feb 17 20:01:54 2024] systemd[1]: systemd 255 running in system mode (+PAM +AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 -IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK -PCRE2 +PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 -LZ4 -XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=hybrid)
Feb 17 20:01:55 2024] systemd[1]: Mounting dev-hugepages.mount...
Feb 17 20:01:55 2024] systemd[1]: Mounting dev-mqueue.mount...
Feb 17 20:01:55 2024] systemd[1]: Mounting sys-kernel-debug.mount...
Feb 17 20:01:55 2024] systemd[1]: Mounting sys-kernel-tracing.mount...
Feb 17 20:01:55 2024] systemd[1]: Reached target cryptsetup.target.
Feb 17 20:01:55 2024] systemd[1]: Set up automount proc-sys-fs-binfmt_misc.automount.
Feb 17 20:01:55 2024] systemd[1]: Started systemd-ask-password-console.path.
Feb 17 20:01:55 2024] systemd[1]: Started systemd-ask-password-wall.path.
Feb 17 20:01:55 2024] systemd[1]: Starting systemd-remount-fs.service...
Feb 17 20:01:55 2024] systemd[1]: systemd-pcrextend.socket was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Feb 17 20:01:55 2024] systemd[1]: systemd-pcrmachine.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Feb 17 20:01:55 2024] systemd[1]: systemd-tpm2-setup-early.service was skipped because of an unmet condition check (ConditionSecurity=measured-uki).

this is parts of the clr-installer.yaml

block-devices: [
   {name: "bdevice", file: "/dev/sda"}
]

targetMedia:
  - name: ${bdevice}
    ro: "false"
    rm: "false"
    type: disk
    children:
      - name: ${bdevice}1
        fstype: vfat
        mountpoint: /boot
        label: boot
        size: "1G"
        ro: "false"
        rm: "false"
        type: part
      - name: ${bdevice}2
        fstype: ext4
        mountpoint: /
        label: root
        size: "200G"
        ro: "false"
        rm: "false"
        type: crypt        

hostname: mek-cl-tpmtest
keyboard: us
language: en_US.UTF-8
bundles:
  [
    boot-encrypted,
    bootloader-extras,
    clr-installer, 
    cryptoprocessor-management,
    devpkg-tpm2-abrmd,
    devpkg-tpm2-tss,
    iftop,
    NetworkManager,
    openssh-server,
    os-core-update,
    os-core,
    storage-utils,
    sysadmin-basic,
    sysadmin-hostmgmt,
    time-server-basic,
    vim,
  ]

Let me know if there is anything I could try.

8

I havenā€™t tried anything with encrypted root, let alone TPM or Secure Boot, so I donā€™t know how much more I can help. But now that I think about it, Iā€™d expect Secure Boot to be required. Thatā€™s why youā€™re getting an unmet condition check on ConditionSecurity=measured-uki, though those service failures are probably not why youā€™re still not getting auto-unlock.

9

hi, @btwarden yes, will try with secure boot as well, will see that I can try it with secure boot.

The ā€œnot symlink - ignoringā€ error is something concerning me.

[Sat Feb 17 20:01:48 2024] systemd[1]: initrd-root-device.target: Wants dependency dropin /usr/lib/systemd/system/initrd-root-device.target.wants/remote-cryptsetup.target is not a symlink, ignoring.
[Sat Feb 17 20:01:48 2024] systemd[1]: initrd-root-device.target: Wants dependency dropin /usr/lib/systemd/system/initrd-root-device.target.wants/remote-veritysetup.target is not a symlink, ignoring.

is this something you could fix?

also things with errors, but looks unrelated:

Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd-udevd[277]: /usr/lib/udev/rules.d/50-udev-default.rules:46 Unknown group 'sgx', ignoring
Feb 17 20:01:44 clr-9d87827416c04c8c9cf131822c88c28d systemd-udevd[277]: /usr/lib/udev/rules.d/50-udev-default.rules:47 Unknown group 'sgx', ignoring
Feb 17 20:01:51 hostname systemd-tmpfiles[487]: /usr/lib/tmpfiles.d/provision.conf:20: Duplicate line for path "/root", ignoring.
Feb 17 20:01:51 hostname systemd-tmpfiles[487]: /usr/lib/tmpfiles.d/systemd-resolve.conf:10: Duplicate line for path "/etc/resolv.conf", ignoring.
10

@btwarden any comment?

11

These are harmless warnings because we didnā€™t populate those targets in the initrd ā€“ theyā€™re for remote
encrypted volumes. Adding those means dumping a bunch more stuff (to satisfy their own dependencies) into the initrd that nobody has asked for.

I may try to clean these up when I have a chance, but theyā€™re still harmless warnings.

Iā€™m afraid Iā€™m out beyond my own expertise on TPM2/LUKS; what Iā€™ve suggested to you before is from various web searches of my own.

12

yes, I was only concerned about the first ones, as at least they contain ā€œcryptsetupā€, in case that it is also used for the root partition in some way.