Tumbleweed - LUKS2 with TPM2+PIN has been unreliable for me, what did I do wrong?

English Install/Boot/Login
1

Hi all,

I recently installed Tumbleweed on my Thinkpad X9-15 (A few times, to test some things out).

I made a BTRFS root partition, with an XFS home, and 32GB of swap.

I chose to encrypt with LUKS2 and selected TPM2+PIN as the unlock method.

However, the installer prompted me for a password, and upon login to the desktop, I realised that there was only a password keyslot occupied on the /, home and swap partitions.

I registered my own tpm2+pin slot and it seemed like all was good.

I noticed when I was booting an older snapshot, that sometimes it would just keep asking me for my PIN, and then drop me to an emergency shell after multiple attempts. I thought this might be because I added my TPM2+PIN key to the drive and just assumed that older snapshots would be invalid because the current state of the drive is different than it was when I only had a password slot. (I’m just getting started with Linux really, so my understanding isn’t too great).

Today, I updated my UEFI, and noticed that even running on the current snapshot, I would get prompted for my PIN constantly. (I pressed ESC and verified it was asking for the PIN and not the password).

On a whim, I entered my password multiple times, and it ended up letting me in, but then it started failing on a PCR15 check, so I added measure-pcr-validator.ignore=yes to my cmdline and booted again.

I then re-enrolled the TPM2+PIN and tried getting in again, but kept getting the same assortment of errors, to the point where I was locked out of the system.

I managed to use systemd-cryptenroll attach cr_root and then my device UUID to get my drive into /dev/mapper, and then tried to mount it to /mnt/root from dracut, and I was trying to chroot into it so I could clear the TPM keyslots. This didn’t work (/dev/ only contained null, so I did something wrong), I ended up using a recovery USB and managed to clear the TPM2+PIN slot and get back into the system (keeping the PCR skip in the commandline)

So now I’m back to using password only, I had to manually edit /etc/crypttab and remove mentions of the TPM2 and measuring the PCR, and it seems to be working fine.

My questions are:

  1. Should the YaST installer for tumbleweed have prompted me to set a PIN? I don’t see the point in choosing TPM2+PIN if it just registered a password only anyway.
  2. What did I do wrong here? If updating my UEFI is going to lock me out of the system, what can I do to mitigate this?
  3. Should I ONLY be using the TPM2+PIN keyslot, or should I keep password in there too? Is mixing both complicating things?
  4. Why is the message ambiguous about requesting my PIN, when it really was asking for my password?

Thanks for reading through all that, I’m interested in resolving this, I’m still surprised I managed to rescue my way out of this being a somewhat new user.

2

Having similar woes. From what i could figure out, the YaST installer really is really broken when it comes to properly setting up LUKS-LVM with TPM2+PIN and possibly other unlock options. Digging through SUSEs Bugzilla (which isn’t indexed by google, nice), i eventually got confirmation that whatever password the user enters during the install will be set as TPM PIN and passphrase the same, which is absolutely stupid.

I then managed to re-enroll TPM+PIN and a sensible passphrase post-installation.

Then later I ran into the PCR 15 problem, but couldn’t get my way around it, except for finally reinstalling and hoping it won’t break again.

YaST is on its way out, so I looked for an Agama installer ISO, but that seems to be broken as well until further notice. Really thinking about going back to Debian-based distros with all this stuff not working and not being documented properly.

3

For me, I checked the keyslots after install and I only had a password slot, I had to manually enroll it with —method=tpm2+pin, but the UEFI update almost caused me to lose all of my data (not an issue for me personally, but I assume this isn’t the case for a lot of users).

I went back to just a password slot for now.

Then later I ran into the PCR 15 problem, but couldn’t get my way around it, except for finally reinstalling and hoping it won’t break again.

Not sure what the official fix is, but you can add “ measure-pcr-validator.ignore=yes” as a kernel parameter and you’ll get back into the system, and from there remove the TPM unlock from the key slot and /etc/crypttab.

The annoying thing is that the error messages tell you how to bypass it, but Plymouth obscures it, so people unfamiliar will just see their machine powering down randomly with no feedback.

4

For me, that kernel option just stopped the automatic reboot. Did your console during plymouth also show “Failed to start Cryptography setup for …”? Perhaps mine was properly broken.

5

Sounds like you need to add enable.plymouth=0 to the boot options if it’s interfering?

6

Possibly, I’ve had lot of issues with TPM2 and LUKS outside of the PCR 15 issue, it’s been hard to keep track. I’ll keep better notes if I go back to it.

7

Same. This week every timeI wanted to boot I’be been having to:

  1. remember to press e on systemd-boot and add measure-pcr-validator.ignore=yes
  2. enter my TPM2 pin and get into dracut emergency shell
  3. in the emergency shell, run systemd_cryptsetup attach on my LUKS2 drives
  4. mount & exit to get to my desktop.

All having followed the latest official guides on FDE.

8

When you’re in dracut you might be able to list the systemd services and see which one is stalled, and use systemctl status to get a better idea of what’s happening.

9

All I get is a generic systemd-cryptsetup failure. “TPM2 operation failed, falling back to tradictional unlocking: No such device or address
Set cipher aes…
Failed to activate with specified passphrase. (Passphrase incorrect?)
Set cipher…
Failed to activate with specified passphrase…
Failed to start Cryptography setup for cr_root.”
It’s worth noting that I was never asked for my passphrase.