[Bug 1980018] Re: Cryptsetup-initramfs cant deal with tpm2-device option
Steve Langasek
1980018 at bugs.launchpad.net
Mon Oct 30 08:13:02 UTC 2023
On Mon, Oct 30, 2023 at 01:47:49AM -0000, Grumpus wrote:
> "What gives you that impression? What PCR do you see being extended by GRUB
> with a hash of the initramfs when loaded?"
> I found if I update initramfs on Ubuntu 22.04 then PCR9 changes.
> I only tested this as below lead me to believe this was an intended
> behaviour:
> https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
> https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers
> https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html
> https://github.com/rhboot/shim/blob/main/README.tpm
> Hence when I read your original comment it left me wondering whether I'm
> misunderstanding something.
Thanks. I didn't know that GRUB was measuring into PCR9. But I also think
this is not a PCR we are sealing against in our implementation due to
fragility, and I would expect others not to want to seal against it either
(except for the fact that you would need to, to be secure against initramfs
bypass).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1980018
Title:
Cryptsetup-initramfs cant deal with tpm2-device option
Status in cryptsetup package in Ubuntu:
Triaged
Bug description:
In order to boot an encrypted system and autounlock with tpm2, the
tpm2-device= option must be specified in /etc/crypttab. This works
for non-root filesystems for some reason, but when applied to root
filesystems it doesnt. Tested working on both arch and fedora, so the
method is good, something is off in the background.
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'
Manually adding it to /lib/cryptsetup/functions produces this
root at test:~# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-40-generic
/usr/share/initramfs-tools/hooks/cryptroot: 1: eval: CRYPTTAB_OPTION_tpm2-device=auto: not found
That file belongs to cryptsetup-initramfs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018/+subscriptions
More information about the foundations-bugs
mailing list