I posted this on the OpenSUSE Subreddit Reddit - Dive into anything.
Unfortunately, they were unable to help despite their good guidance. which I fully appreciate them for. So I have come here for assistance.
When I installed Tumbleweed I did so with a separate /home partition which is encrypted using the same key for the root partition.
I attempted to set up Automated decryption of the drive using my TPM2 via the guide here (Quickstart in Full Disk Encryption with TPM and YaST2 - openSUSE MicroOS) but I couldnβt get it working as I keep getting prompted for my password to open the /home partition.
thehome@thehomesystemserver:~> sudo sdbootutil enroll --method tpm2
[sudo] password for thehome:
Garbage after device path end, ignoring.
Garbage after device path end, ignoring.
Garbage after device path end, ignoring.
NVIndex policy created
Enrolling with TPM2 (pcrlock): /dev/nvme0n1p2
Wiped slot 1.
π Please enter current passphrase for disk /dev/nvme0n1p2: β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’
New TPM2 token enrolled as key slot 1.
1 tpm2
Enrolling with TPM2 (pcrlock): /dev/nvme0n1p3
Wiped slot 1.
π Please enter current passphrase for disk /dev/nvme0n1p3: β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’β’
New TPM2 token enrolled as key slot 1.
1 tpm2
thehome@thehomesystemserver:~> sudo cat /etc/crypttab
# File created by sdbootutil. Comments will be removed
cr_root UUID=8e30cf4f-281a-4fd9-a885-9b66e57567dc - tpm2-device=auto
cr_home UUID=e557c87e-9a6e-4a29-8ce4-57691403002f - tpm2-device=auto
thehome@thehomesystemserver:~>
Any suggestions on what I do, cause I am kind of lost at the moment.
TPM unlock is bound to PCR values. What PCRs do you use?
P.S. First you show some commands using device names and then you show /etc/crypttab
using UUIDs. We have no idea whether they match.
thehome@thehomesystemserver:~> cat /etc/sysconfig/fde-tools
FDE_SEAL_PCR_LIST=0,2,4,7,9
thehome@thehomesystemserver:~> lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sda
ββsda1 linux_raid_member 1.2 thehostingraid ed51a8bb-25d8-3bb6-1622-7ec1830577bd
ββmd126
ββmd126p1 ext4 1.0 mypersonalspace 7489043d-2f77-4fd0-811a-e1221341df33
ββmd126p2 ext4 1.0 services adf289a2-f9a2-4de2-9163-5f4b0a906765
sdb
ββsdb1 linux_raid_member 1.2 themediaraid ab00edc7-9765-01d9-227c-dcc7f1a53d03
ββmd127
ββmd127p1 ext4 1.0 downloads 5019dfb0-21a8-4424-a6b2-125b8c4df5e9
ββmd127p2 ext4 1.0 content 7e8cdd71-b6d6-45ff-8f21-8df626210a92
sdc
ββsdc1 linux_raid_member 1.2 thehostingraid ed51a8bb-25d8-3bb6-1622-7ec1830577bd
ββmd126
ββmd126p1 ext4 1.0 mypersonalspace 7489043d-2f77-4fd0-811a-e1221341df33
ββmd126p2 ext4 1.0 services adf289a2-f9a2-4de2-9163-5f4b0a906765
sdd
ββsdd1 linux_raid_member 1.2 themediaraid ab00edc7-9765-01d9-227c-dcc7f1a53d03
ββmd127
ββmd127p1 ext4 1.0 downloads 5019dfb0-21a8-4424-a6b2-125b8c4df5e9
ββmd127p2 ext4 1.0 content 7e8cdd71-b6d6-45ff-8f21-8df626210a92
nvme0n1
ββnvme0n1p1 vfat FAT32 0964-123C 386.8M 24% /boot/efi
ββnvme0n1p2 crypto_LUKS 2 8e30cf4f-281a-4fd9-a885-9b66e57567dc
β ββcr_root btrfs 60a4cbe5-5643-4ebb-ac56-c5f18bea4aff 315.4G 1% /var
β /usr/local
β /root
β /srv
β /opt
β /boot/grub2/x86_64-efi
β /boot/grub2/i386-pc
β /.snapshots
β /
ββnvme0n1p3 crypto_LUKS 2 e557c87e-9a6e-4a29-8ce4-57691403002f
ββcr_home ext4 1.0 720c1308-8ef2-4bea-843a-4311d15db157 569.5G 0% /home
As I have attached above The PCRs used are those ones that come with the fde-tools package via sdbootutil.
Is cr_root
unlocked automatically? Show
bootctl --no-pager
ls -lR /boot/efi
Here are my results from both of those commands
thehome@thehomesystemserver:~> bootctl --no-pager
System:
Firmware: UEFI 2.80 (American Megatrends 5.27)
Firmware Arch: x64
Secure Boot: enabled (deployed)
TPM2 Support: yes
Measured UKI: no
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 256.5+suse.7.gbef0958f4d
Features: β Boot counting
β Menu timeout control
β One-shot menu timeout control
β Default entry control
β One-shot entry control
β Support for XBOOTLDR partition
β Support for passing random seed to OS
β Load drop-in drivers
β Support Type #1 sort-key field
β Support @saved pseudo-entry
β Support Type #1 devicetree field
β Enroll SecureBoot keys
β Retain SHIM protocols
β Menu can be disabled
β Boot loader sets ESP information
ESP: /dev/disk/by-partuuid/3f034281-5ced-4398-9415-4ae1c1d1eb1a
File: ββ/EFI/systemd/grub.efi
Random Seed:
System Token: set
Exists: yes
Available Boot Loaders on ESP:
ESP: /boot/efi (/dev/disk/by-partuuid/3f034281-5ced-4398-9415-4ae1c1d1eb1a)
File: ββ/EFI/systemd/MokManager.efi
ββ/EFI/systemd/shim.efi
ββ/EFI/systemd/grub.efi (systemd-boot 256.5+suse.7.gbef0958f4d)
ββ/EFI/BOOT/MokManager.efi
ββ/EFI/BOOT/fallback.efi
ββ/EFI/BOOT/BOOTX64.EFI
Boot Loaders Listed in EFI Variables:
Title: openSUSE Boot Manager
ID: 0x0000
Status: active, boot-order
Partition: /dev/disk/by-partuuid/3f034281-5ced-4398-9415-4ae1c1d1eb1a
File: ββ/EFI/systemd/shim.efi
Title: UEFI OS
ID: 0x0001
Status: active, boot-order
Partition: /dev/disk/by-partuuid/3f034281-5ced-4398-9415-4ae1c1d1eb1a
File: ββ/EFI/BOOT/BOOTX64.EFI
Boot Loader Entries:
$BOOT: /boot/efi (/dev/disk/by-partuuid/3f034281-5ced-4398-9415-4ae1c1d1eb1a)
token: opensuse-tumbleweed
Default Boot Loader Entry:
type: Boot Loader Specification Type #1 (.conf)
title: openSUSE Tumbleweed
id: opensuse-tumbleweed-6.10.9-1-default-1.conf
source: /boot/efi//loader/entries/opensuse-tumbleweed-6.10.9-1-default-1.conf
sort-key: opensuse-tumbleweed
version: 1@6.10.9-1-default
linux: /boot/efi//opensuse-tumbleweed/6.10.9-1-default/linux-7afb7207baeb9be7786bdc54e7a622d60fe39f0e
initrd: /boot/efi//opensuse-tumbleweed/6.10.9-1-default/initrd-09c729372b1cc46beedf4771a3bf5a10932c8e42
options: root=UUID=60a4cbe5-5643-4ebb-ac56-c5f18bea4aff splash=silent quiet security=apparmor mitigations=auto rootflags=subvol=@/.snapshots/1/snapshot systemd.machine_id=efda46323ada419387d6bd80a5d01bca
thehome@thehomesystemserver:~> ls -lR /boot/efi
/boot/efi:
total 12
drwxr-xr-x 4 root root 4096 Sep 21 17:12 EFI
drwxr-xr-x 4 root root 4096 Sep 21 17:12 loader
drwxr-xr-x 3 root root 4096 Sep 21 17:12 opensuse-tumbleweed
/boot/efi/EFI:
total 8
drwxr-xr-x 2 root root 4096 Sep 21 17:12 BOOT
drwxr-xr-x 2 root root 4096 Sep 21 16:28 systemd
/boot/efi/EFI/BOOT:
total 1872
-rwxr-xr-x 1 root root 965528 Sep 20 07:14 BOOTX64.EFI
-rwxr-xr-x 1 root root 852312 Sep 20 07:14 MokManager.efi
-rwxr-xr-x 1 root root 90496 Sep 20 07:14 fallback.efi
/boot/efi/EFI/systemd:
total 1892
-rwxr-xr-x 1 root root 852312 Sep 20 07:14 MokManager.efi
-rwxr-xr-x 1 root root 64 Sep 21 17:12 boot.csv
-rwxr-xr-x 1 root root 101232 Aug 19 17:00 grub.efi
-rwxr-xr-x 1 root root 20 Sep 21 17:12 installed_by_sdbootutil
-rwxr-xr-x 1 root root 1666 Sep 21 17:14 pcrlock.json
-rwxr-xr-x 1 root root 965528 Sep 20 07:14 shim.efi
/boot/efi/loader:
total 20
drwxr-xr-x 2 root root 4096 Sep 21 16:56 credentials
drwxr-xr-x 2 root root 4096 Sep 21 16:56 entries
-rwxr-xr-x 1 root root 6 Sep 21 17:12 entries.srel
-rwxr-xr-x 1 root root 41 Sep 21 17:12 loader.conf
-rwxr-xr-x 1 root root 32 Sep 21 17:12 random-seed
/boot/efi/loader/credentials:
total 4
-rwxr-xr-x 1 root root 2411 Sep 21 16:56 pcrlock.opensuse-tumbleweed.cred
/boot/efi/loader/entries:
total 16
-rwxr-xr-x 1 root root 532 Sep 21 16:28 opensuse-tumbleweed-6.10.9-1-default-1.conf
-rwxr-xr-x 1 root root 568 Sep 21 17:13 opensuse-tumbleweed-6.10.9-1-default-2.conf
-rwxr-xr-x 1 root root 619 Sep 21 16:56 opensuse-tumbleweed-6.10.9-1-default-3.conf
-rwxr-xr-x 1 root root 620 Sep 21 16:56 opensuse-tumbleweed-6.10.9-1-default-4.conf
/boot/efi/opensuse-tumbleweed:
total 4
drwxr-xr-x 2 root root 4096 Sep 21 16:23 6.10.9-1-default
/boot/efi/opensuse-tumbleweed/6.10.9-1-default:
total 123324
-rwxr-xr-x 1 root root 41526684 Sep 21 16:19 initrd-09c729372b1cc46beedf4771a3bf5a10932c8e42
-rwxr-xr-x 1 root root 34872321 Sep 21 16:23 initrd-35989d2bba104790c6d68bb4e90dcadb95889d48
-rwxr-xr-x 1 root root 34989402 Sep 21 17:12 initrd-fed4adee40e91a6e938087c2d51a4d5701d54122
-rwxr-xr-x 1 root root 14887280 Sep 8 15:36 linux-7afb7207baeb9be7786bdc54e7a622d60fe39f0e
That looks good. You did not answer the question
Yes. It did. Just /home that didnβt.
Does /dev/nvme0n1p3
have systemd-tpm2
token? You can check with
cryptsetup luksDump /dev/nvme0n1p3
It should have something like
Tokens:
...
1: systemd-tpm2
...
tpm2-pin: false
tpm2-pcrlock: true
tpm2-salt: false
tpm2-srk: true
tpm2-pcrlock-nv: true
Keyslot: 2
Does /var/lib/systemd/pcrlock.json
exist? Can you check with
jq . /var/lib/systemd/pcrlock.json
whether it contains PCR hashes for the PCRs that are used?
Yes it does contain the token see here
thehome@thehomesystemserver:~> sudo cryptsetup luksDump /dev/nvme0n1p3
[sudo] password for thehome:
LUKS header information
Version: 2
Epoch: 17
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: e557c87e-9a6e-4a29-8ce4-57691403002f
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 5691050
Salt: 2f d0 58 72 f3 27 a3 fd 52 66 05 b7 ff c6 04 31
d3 55 db 6a ef bd 45 21 dd 36 13 57 34 91 bf 5f
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 8a 3f f5 c5 f4 bf f7 d6 6e 7a bd 25 34 95 8a e0
61 80 47 f2 99 47 9a f9 40 cf c2 a2 0f 6f c6 fa
AF stripes: 4000
AF hash: sha512
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
0: systemd-tpm2
tpm2-hash-pcrs:
tpm2-pcr-bank: n/a
tpm2-pubkey:
(null)
tpm2-pubkey-pcrs:
tpm2-primary-alg: ecc
tpm2-blob: 00 9e 00 20 6e 6a db 55 5b a9 18 85 22 61 eb 52
72 ad 51 79 a8 98 18 7e 91 89 06 09 72 42 9a d1
91 16 89 74 00 10 9d 9f 36 2b f1 48 07 87 33 27
5c 47 19 96 5d ed d5 23 56 15 86 e0 a2 fd a5 9f
8e ab 55 71 d2 e0 75 09 57 45 4d 02 ba 85 83 f8
7b 23 a9 20 94 79 77 39 4f bc 46 7f b4 aa db aa
72 55 fe 33 a0 4d f7 e6 4b 47 51 f1 8b 9b 56 f8
b9 37 6a 2b 31 f2 f7 d0 89 ac 6d 31 34 ed 75 05
d0 c7 f2 19 01 93 c2 5e d6 fb 6b 45 e6 73 bb 22
5e 7a 2c e1 a4 e7 51 9f 08 bd f5 4b 0f 10 fd cd
00 4e 00 08 00 0b 00 00 04 12 00 20 d3 f8 df b7
30 c8 0e 41 0a a8 d6 a7 ae c3 65 c9 96 a0 c2 87
dc 6b 6b cc bd f3 d5 e7 fa a1 82 c8 00 10 00 20
87 62 91 c6 b4 8d 56 41 51 dd 24 85 b5 6d fb a4
c5 13 bd 0c a1 70 24 00 fc 2a 9b e5 31 95 09 51
tpm2-policy-hash:
d3 f8 df b7 30 c8 0e 41 0a a8 d6 a7 ae c3 65 c9
96 a0 c2 87 dc 6b 6b cc bd f3 d5 e7 fa a1 82 c8
tpm2-pin: false
tpm2-pcrlock: true
tpm2-salt: false
tpm2-srk: true
tpm2-pcrlock-nv: true
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 341333
Salt: b1 58 7e 55 72 6a 0e ed 14 8e 2d e3 e4 79 24 d4
b7 b7 33 4d 4e 31 14 16 08 85 0c eb 08 e2 b3 bf
Digest: d2 bf 81 47 f9 9d 0e 14 a5 ce 07 48 f5 7d fc 27
2e 27 09 d1 62 ed 0f 56 ed a3 b1 ea ce 01 71 93
Yes /var/lib/systemd/pcrlock.json does exist.
{
"pcrBank": "sha256",
"pcrValues": [
{
"pcr": 0,
"values": [
"e7b80781ae0bf76ace0340cc3aad816ac15f8d1b7dc49d75a3025f50d9d0bbed",
"2f6717e727d8700238a9c21ee607fa8ffbe0bb6a51ce22bf4479939d7046be94"
]
},
{
"pcr": 2,
"values": [
"3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969",
"e21b703ee69c77476bccb43ec0336a9a1b2914b378944f7b00a10214ca8fea93"
]
},
{
"pcr": 4,
"values": [
"1594d884537c303190e34ab6dbd6a51ad2ef51e0ab6da517e72d509db3765dda",
"dac23ce7ca141dab270aae4b12ddbf62500e3bafcc6901af5a43d2c516ddadf3"
]
},
{
"pcr": 7,
"values": [
"4f5cbaca19e07b701c7c7da9ee007038144507b8eb323cdb06e97563095c103c",
"113fbc6a7a987e8ba72134b772985ff560a49bb48781dec42d7fdeab91e42cac"
]
},
{
"pcr": 9,
"values": [
"eabc49696fcacf5652a96039274f36403361fbe28c947c74c3ec0e5b808c64e6",
"5392c9bdb5e5afa52bfe7efa49b73e26dd637327699555c85da204ffc20d4ea8",
"738e4b9a1f65f64fa0709c49017a9e0c1ecbf068abcd973a6136b1462d0f9012"
]
}
],
"nvIndex": 28154042,
"nvHandle": "Aa2YugAiAAv7jF0O5pYXol6IIoVApoah6PRKEJzjf5cilvSkX9nVmAAAAAIALgGtmLoACyACEAgAIHC+v9jwdT3Npc3+NPVk18jH+dxJb30byusiqoTc8d3fACI=",
"nvPublic": "AC4BrZi6AAsAAhAIACBwvr/Y8HU9zaXN/jT1ZNfIx/ncSW99G8rrIqqE3PHd3wAi",
"srkHandle": "gQAAAQAiAAt8/i+Dgxub1avDhr7iTX8ATyR9v5TsbX7F93z2+us3lQAAAAEAWgAjAAsAAwRyAAAABgCAAEMAEAADABAAIMk7a7cq4jzRE6VU0NRiQ3qOVE2KIwYfESI1g2Q//u9YACB9eZGirW4W2NXzeYNDjVama5v4jVGl8vbn9QjPEX1HMA==",
"pinPublic": "AE4ACAALAAAAEgAg0/jftzDIDkEKqNanrsNlyZagwofca2vMvfPV5/qhgsgAEAAglpmBbzpqjHcMPwr4K1rO12tHmTyB1wHjrGFH8YU2tkE=",
"pinPrivate": "AJ4AIMsi2mkT2FSDM++0kKzMB+j+U61zPmr75zpbjDNnE5bzABDJ5/Wy4PaWqB5btWGFACLp2KSCBwTMHrgqABJiJpQU8urCL8LmGVtD013xbnUH8vN7VBtnpGTcThdO9HbGIbbIRpjh+N9TFBZgt9OEKv0TPzmbRJ4DlA3pzDQFLztuHNQSVuaHXCFjP5V02uzdPWTrnVkLmtB0dlin5w=="
}
Do PCR values match? The
tpm2_pcrread sha256:0,2,4,7,9
displays the current values. They must match one of the values listed in JSON file for each PCR.
Yes. They are the ones used comes within the fde-tools package which are 0,2,4,7,9.
I am not sure we are talking about the same thing. You did obtain the PCR values with tpm2_pcrread
and compared them with the values stored in JSON?
sha256:
0 : 0xE7B80781AE0BF76ACE0340CC3AAD816AC15F8D1B7DC49D75A3025F50D9D0BBED
2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
4 : 0x1594D884537C303190E34AB6DBD6A51AD2EF51E0AB6DA517E72D509DB3765DDA
7 : 0x4F5CBACA19E07B701C7C7DA9EE007038144507B8EB323CDB06E97563095C103C
9 : 0xEABC49696FCACF5652A96039274F36403361FBE28C947C74C3EC0E5B808C64E6
This is the result of the tpm2_pcrread sha256:0,2,4,7,9 and I have compared it with the JSON above and it should match.
Try enabling debug output for systemd-cryptsetup
:
mkdir /etc/systemd/system/systemd-cryptsetup\@cr_home.service.d
cat > /etc/systemd/system/systemd-cryptsetup\@cr_home.service.d/debug.conf << EOF
[Service]
Environment=SYSTEMD_LOG_LEVEL=debug
EOF
Reboot and upload the full output as root of
journalctl -b --no-pager --full
to https://paste.opensuse.org/
Any answers or youβre still investigating?
Sep 22 12:04:10 localhost systemd-cryptsetup[961]: Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
...
Sep 22 12:04:11 localhost systemd[1]: Mounting /var...
In the hindsight it is obvious.
For testing you can try copying pcrlock.json
somewhere inside the root (e.g. /etc/systemd/pcrlock.json
) and adding tpm2-pcrlock=
option (see man crypttab
for details). It is not a solution because this file will not be updated (and you will need to update TPM2 policy and pcrlock.json
every time you get new kernel or rebuild initrd. Which may be your next issue - I am not sure whether sdbootutil
TPM2 is actually integrated into kernel updates on Tumbleweed. On MicroOS it is called as tukit
plugin).
Otherwise on the first glance it sounds like upstream problem. You may consider opening an issue on the systemd github. Very likely response will be βif you need /var
that early, mount it in initrdβ. Which will then become something for openSUSE maintainers to integrate.
In the meantime you can test it as well, see man dracut.conf
, search for add_fstab
. This will work also after kernel updates (as long as new kernel measurements are added to the TPM2 policy).
Thanks. Iβll open an issue on the Systemd Github. Regarding the openSUSE Maintainers integrating it. Would you know about how I go about raising it with them?