[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option

Stewart Shearer 1980018 at bugs.launchpad.net
Tue Jun 28 06:07:02 UTC 2022 

Hey, just wanted to add my 2c here: 
I'm closely following along -- I want to do automatic unlock on a laptop with TPM2. I tried a similar thing of adding tpm2-devices to the /lib/cryptsetup/functions file. There are a number of locations you need to change it; if you follow along one of the other options that takes arguments (like keyfile-size or keyfile-offset), you can eventually get update-initramfs to work without complaint.
However, on reboot, it was effectively bricked with an "unknown option" for cryptsetup (not exactly sure the wording).
I'm wondering if that means it's in cryptsetup-bin, not just the cryptsetup scripts? Running cryptsetup without any options shows it doesn't have that tpm2-device option, and if I look at cryptsetup.c, I can see it defines a bunch of variables like 
static uint64_t opt_keyfile_offset = 0;

But tpm2-devices is not one of them.

All of which is to say -- it's not just that /lib/cryptsetup/functions
file.... :)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1980018

Title:
  Cryptsetup-initramfs cant deal with tpm2-device option

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  In order to boot an encrypted system and autounlock with tpm2, the
  tpm2-device= option must be specified in  /etc/crypttab. This works
  for non-root filesystems for some reason, but when applied to root
  filesystems it doesnt. Tested working on both arch and fedora, so the
  method is good, something is off in the background.


  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

  
  Manually adding it to  /lib/cryptsetup/functions produces this

  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  /usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found

  
  That file belongs to cryptsetup-initramfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions

More information about the foundations-bugs mailing list