Crash to recovery post-install

Hi, I could use some help troubleshooting my situation post-install on this old work Thinkpad X1E Carbon 3rd Gen. It has Optimus hybrid graphics with an Nvidia card in case the brand/model didn’t give that away.

What I’ve done so far:

• Booted from the latest Tumbleweed installer
• Customized the launch settings to add “nomodeset” (without this, the installer ends up in a black screen)
• Selected KDE Plasma
• Customized my partitions referring to FDE, specifically:
  • Deleted the two grub subvolumes
  • /: encrypted filesystem, btrfs, systemd-based, Argon2id, TPM2
  • /home: encrypted filesystem, xfs, systemd-based, Argon2id, TPM2
  • /swap: encrypted filesystem, (whatever the default is here, don’t recall), systemd-based, Argon2id, TPM2
  • Noted that on my 1TB drive, the installer allocated 33% to /, which from what I can find online is way more than needed. I resized down to 40 GiB, then I moved /home “back” before the freed space and expanded it to fill the space freed from /.
• Configured my user account, unchecked auto-login
• Contrary to the documentation’s claims, at the final Installation Settings screen, GRUB2 BLS was not selected, so I clicked the header and selected it.

Post-installation, the system rebooted and I was not prompted for a password to unlock any partitions. I did get a boot menu with two options:

• openSUSE Tumbleweed
• Snapper: *openSUSE Tumbleweed

This is unexpected, so help with that would also be appreciated, but that’s not my biggest problem. After I select either one of those, I am presented with a login screen that does not show my user name. When I type in ANY password, right or wrong, and press Enter, I get dumped into a recovery console with the error:

Warning: /dev/mapper/cr_root does not exist

I entered my password here and used journalctl to see if I could see what went wrong, and I do see some errors such as

Failed to add OR policy to TPM
...
Failed to unseal secret using TPM2
...
Failed to activate with specified passphrase

So obviously something is not lining up right. I thought I had followed the setup directions correctly, and I know this laptop has a TPM chip in it (not sure if TPM2). Any pointers as to how I should proceed would be greatly appreciated! The logs might hint that the passphrase is not correct; I was never re-prompted for the passphrase after installing, do I need to manually add it to a file somewhere?

Why is this unexpected?

Which is most likely the screen where you enter your LUKS passphrase.

Which is most likely the screen where you enter your LUKS passphrase.

Of course, you are correct, that was the screen to enter my LUKS passphrase. How silly of me! Thank you for that advice. I have a few follow-up questions:

• What exactly is the TPM support doing? Is it unlocking the / and /swap partitions but I still get prompted for my /home partition? In a previous install without TPM support, I got prompted twice, so this is an improvement. I just want to understand a bit better.
• If I mistype my strong passphrase, I get dumped straight into a recovery session. Exiting just dumps me back there again. So how do I get another chance to type my passphrase in the event I typo?

As for the unexpected boot menu, it’s gone after a successful boot and login.

So how do I get another chance to type my passphrase in the event I typo?

To clarify, I’d prefer a method to return to the login UI, but I’ve used cryptsetup and mount before for virtual disks, so I’m comfortable doing this from the terminal if that’s the only way. I’m just not sure what paths to use.

One final question: is there a way to set things up so that I only need to enter my account login and the FDE is handled by TPM and the passphrase I already set up? I do want the disk resistant to decryption if removed from the laptop, but my account login is sufficiently strong while the disk remains where it is. Thanks!

No. FDE = Full Disk Encryption. This means that User Login cannot even happen before the disk decryption. Furthermore: without encryption a user login is never strong enough. Anybody booting from a USB key can change anything pretty easily.

Thanks. I accept this. Could you explain what the TPM support is actually gaining me here? I observed that I don’t have to enter my LUKS passphrase more than once, and not until after the boot completes. Is that all?

You’re welcome. I don’t use FDE, so better wait for someone to step in on this.

Perhaps nothing.

My current desktop has TPM2. An older laptop is from before the TPM era. They both behave the same with respect to FDE.

My understanding is that I could setup my current TPM2 desktop, so that I would not need to provide the FDE passphrase at all. But I have not done that, and I don’t want to do that.

Without TPM anyone can replace kernel and initrd that are unencrypted and unprotected on the ESP. Those kernel and initrd can do anything - capture your passphrase, install rootkit etc. TPM makes it possible to verify kernel, initrd and other components and only allow unlocking when they are not tempered with.

https://en.opensuse.org/Portal:MicroOS/FDE

Thanks, that’s the article I linked in my original question, specifically I followed the steps under Detailed instructions for MicroOS and Tumbleweed. I tried to be as detailed as possible describing how I attempted to follow the instructions in case someone here could spot a possible mistake I might have made. That’s what led me to my current state, where I’m presented with a screen where I have only one chance to enter my LUKS password or get dumped into a recovery console that I don’t know how to meaningfully proceed from.

• Is this the expected result?
• If so, how can I either get more than one chance in case I typo my LUKS password or exit the recovery terminal in a way that will allow me to try again?
• If not, could you suggest what I could look at to try to diagnose why it’s not working as expected?

Hmm … looking at the code, it tries first an external key (e.g. using TPM), if it fails it tries the empty passphrase and then it asks user. These are three attempts, the default number. So, it appears to be expected, even when unintentionally.

Try adding tries=10 (or whatever) option to /etc/crypttab (do not forget to rebuild initrd). See man 5 crypttab.

Thanks!

So the fact that it’s asking me for a password suggests that using the external key failed. What steps can I take to try to diagnose why that failed?

Start with showing /etc/crypttab.

# File created by sdbootutil.  Comments will be removed
# Add the 'x-sdbootutil.ignore' option to un-track a device
cr_swap UUID=3399a128-64ed-4686-a4e3-6213af68edf7 none tpm2-device=auto,tpm2-measure-pcr=yes
cr_home UUID=5bbb3a14-48ee-4c52-8aaa-1db8e43a0fb2 none tpm2-device=auto,tpm2-measure-pcr=yes
cr_root UUID=0bdef385-8f66-40f8-a2cd-3ebca38edb48 none x-initrd.attach,tpm2-device=auto,tpm2-measure-pcr=yes

BTW this system does have TPM2, confirmed

adam@localhost:~> cat /sys/class/tpm/tpm0/tpm_version_major 
2

Show

cryptsetup luksDump /dev/disk/by-uuid/0bdef385-8f66-40f8-a2cd-3ebca38edb48

LUKS header information
Version:       	2
Epoch:         	5
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	0bdef385-8f66-40f8-a2cd-3ebca38edb48
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id
	Time cost:  5
	Memory:     1048576
	Threads:    4
	Salt:       79 ac 23 9c a7 e1 d7 b2 a4 0c aa fe 92 3b 22 39 
	            54 f2 04 dc 49 4f e6 2a cb f5 a3 0d ed c3 d3 af 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
  1: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      pbkdf2
	Hash:       sha512
	Iterations: 1000
	Salt:       3c 61 67 fc d5 00 0a f3 85 f6 09 e5 5f 96 82 a9 
	            0f bc da 84 31 bd c2 de 6f 16 bb ba bb 46 af b6 
	AF stripes: 4000
	AF hash:    sha512
	Area offset:290816 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
  0: systemd-tpm2
	tpm2-hash-pcrs:   
	tpm2-pcr-bank:    n/a
	tpm2-pubkey:
	            (null)
	tpm2-pubkey-pcrs: 
	tpm2-primary-alg: ecc
	tpm2-pin:         false
	tpm2-pcrlock:     true
	tpm2-salt:        false
	tpm2-srk:         true
	tpm2-pcrlock-nv:  true
	tpm2-policy-hash:
	            13 f8 dd 9b f3 91 bb bb c6 f6 fc ff 8a 1b ba c2
	            2a a0 b8 ef 1f 3b 62 4d 90 13 cf 70 ab 0c 7e 49
	tpm2-blob:        00 9e 00 20 d0 90 8a fd d7 45 c4 75 11 fc 60 3e
	            c0 a5 31 ee da e1 46 93 d6 69 49 b4 f2 e2 cf ce
	            a0 33 ce 8a 00 10 d7 fb 13 d1 57 e2 2b 62 ff 1d
	            77 1a e9 8f 19 d6 72 77 db f4 fc bc cb 8f 16 b8
	            9e a7 62 86 88 f0 a8 3a 02 f2 1b c8 9c 8d 51 a7
	            2a 76 0e 84 86 bc de 10 ee 6c b6 4b ae cf d4 71
	            0d 25 6e 8e b2 16 f5 2d 36 f6 25 ff 81 eb b7 47
	            0c 2b 33 45 bc 27 91 9e e8 2d da dc cb a1 20 bf
	            99 dc d6 2d 2e 4b 34 86 13 b7 a8 c6 94 af e1 85
	            b6 05 f6 6e 23 25 61 56 00 aa 76 96 1d b6 59 f0
	            00 4e 00 08 00 0b 00 00 04 12 00 20 13 f8 dd 9b
	            f3 91 bb bb c6 f6 fc ff 8a 1b ba c2 2a a0 b8 ef
	            1f 3b 62 4d 90 13 cf 70 ab 0c 7e 49 00 10 00 20
	            d6 a5 cf b8 71 92 92 55 40 9a 05 d9 f7 12 1d c1
	            70 0e 23 18 0c 57 70 d8 19 e8 ce 3b f7 1c 50 6a
	Keyslot:    1
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 151004
	Salt:       fc ee 3e 34 dd 84 26 4b e6 20 2f c7 94 a3 57 17 
	            5b 75 e8 4a 62 79 24 a9 21 45 d0 7c e2 1b 96 13 
	Digest:     50 84 35 ca 19 23 b9 6e 52 f0 2a 76 d2 60 53 67 
	            71 18 78 62 fa b3 78 0e 07 23 d6 cb af a1 e1 15

EDIT: made to pre-formatted text

I’ve edtied your post to make it readable, please, please, please use pre-formatted text ( </> in edit window ) for output.

Upload the output of

journalctl --system -b --full --no-pager

immediately after boot to the https://paste.opensuse.org/