[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option

W McElderry 1980018 at bugs.launchpad.net
Fri Sep 9 15:37:44 UTC 2022 

To anyone thinking about using the scripts:

Be sure you understand the impact of the initrd not being measured
before you deploy this solution on valuable data!

My explanation is that it means anyone who can write to your /boot
directory can replace your initrd with a modified/compromised version
and then access unencrypted files without any password.

As I understand it, the attacker would need to run the attack in a
device with access to the TPM initially (they cannot just clone the disk
and use another computer to decrypt it) [as christopher88hall commented]
.  And it could be said that this same attack would compromise many
common system deployments!

Some may think of this as an upgrade over the next best suitable option
for them (which could be an unencrypted filesystem) and others will
think of it as a major downgrade just to avoid typing a password.  It's
a choice for each of us to take in our own way, but make sure you know
what you're decision is based on!


I'd hate for you to get a nasty surprise /after/ some malicious attacker just walked off with all your valuable data and you've potentially lost everything...

Much better to read about it first if there's any doubt in your mind and
work out if this is better or worse than you currently have!


>From christopher88hall's comments, I suspect he has it straight already, but ultimately his decision is between him and his data security policies.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1980018

Title:
  Cryptsetup-initramfs cant deal with tpm2-device option

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  In order to boot an encrypted system and autounlock with tpm2, the
  tpm2-device= option must be specified in  /etc/crypttab. This works
  for non-root filesystems for some reason, but when applied to root
  filesystems it doesnt. Tested working on both arch and fedora, so the
  method is good, something is off in the background.


  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'

  
  Manually adding it to  /lib/cryptsetup/functions produces this

  root at test:~# update-initramfs -u
  update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
  /usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found

  
  That file belongs to cryptsetup-initramfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions

More information about the foundations-bugs mailing list