Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LUKS unlock failure with a FIDO2 token when using gpt-auto-generator #32586

Open
capito27 opened this issue Apr 30, 2024 · 1 comment
Open

LUKS unlock failure with a FIDO2 token when using gpt-auto-generator #32586

capito27 opened this issue Apr 30, 2024 · 1 comment
Labels
bug 🐛 Programming errors, that need preferential fixing cryptsetup gpt-auto

Comments

@capito27
Copy link

capito27 commented Apr 30, 2024
edited

systemd version the issue has been seen with

255 (255.5-3-arch)

Used distribution

CachyOS (rolling)

Linux kernel version used

6.8.8-2-cachyos

CPU architectures issue was seen on

x86_64

Component

systemd-cryptsetup, systemd-gpt-auto-generator

Expected behaviour you didn't see

The automatic LUKS unlock by the systemd-gpt-auto generator calling
/usr/bin/systemd-cryptsetup attach root /dev/gpt-auto-root-luks "" fido2-device=auto

Unexpected behaviour you saw

Attempted (and failed) LUKS unlock by the systemd-gpt-auto generator calling
/usr/bin/systemd-cryptsetup attach root /dev/gpt-auto-root-luks "" tpm2-device=auto,tpm2-measure-pcr=yes when no tpm keyslot was previously configured by systemd-cryptenroll.
Then automatic fallback to recovery passphrase unlock

Steps to reproduce the problem

  1. Configure system with a LUKS-protected rootfs in a DPS GPT partition, along with a TPM installed (for measured boot) but unused for LUKS key storage.
  2. Configure the LUKS keyslots as follow :
    i. Slot 0: Recovery Passphrase
    ii. Slot 1: Fido2 token
    iii. Slots 2-7: Empty
  3. Attempt to boot the system

Additional program output to the terminal or log subsystem illustrating the issue

Likely related to #30176 / #30185

cryptenroll output :

sudo systemd-cryptenroll /dev/nvme0n1p2
SLOT TYPE    
   0 recovery
   1 fido2

Relevant bootctl logs for systemd-cryptsetup and systemd-gpt-auto-generator (in debug mode):

sudo journalctl -b | grep -E "systemd-cryptsetup|systemd-gpt-auto-generator"
avr 30 16:06:34 cachyos (sd-e[201]: About to execute /usr/lib/systemd/system-generators/systemd-cryptsetup-generator (null)
avr 30 16:06:34 cachyos (sd-e[201]: About to execute /usr/lib/systemd/system-generators/systemd-gpt-auto-generator (null)
avr 30 16:06:34 cachyos (sd-e[201]: /usr/lib/systemd/system-generators/systemd-cryptsetup-generator succeeded.
avr 30 16:06:34 cachyos systemd-gpt-auto-generator[204]: Reading EFI variable /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
avr 30 16:06:34 cachyos systemd-gpt-auto-generator[204]: Reading EFI variable /sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
avr 30 16:06:34 cachyos systemd-gpt-auto-generator[204]: Adding /sysroot: /dev/gpt-auto-root fstype=(any)
avr 30 16:06:34 cachyos (sd-e[201]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator succeeded.
avr 30 16:06:34 cachyos systemd[1]: unit_file_build_name_map: normal unit file: /run/systemd/generator.late/systemd-cryptsetup@root.service
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: Trying to enqueue job systemd-cryptsetup@root.service/start/fail
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: Installed new job systemd-cryptsetup@root.service/start as 51
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: Enqueued job systemd-cryptsetup@root.service/start as 51
avr 30 16:06:36 cachyos systemd[1]: Created slice Slice /system/systemd-cryptsetup.
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: Will spawn child (service_enter_start): /usr/bin/systemd-cryptsetup
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: Passing 0 fds to service
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: About to execute: /usr/bin/systemd-cryptsetup attach root /dev/gpt-auto-root-luks "" tpm2-device=auto,tpm2-measure-pcr=yes
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: Forked /usr/bin/systemd-cryptsetup as 310
avr 30 16:06:36 cachyos systemd[1]: systemd-cryptsetup@root.service: Changed dead -> start
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Loaded 'libcryptsetup.so.12' via dlopen()
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: run root ← /dev/gpt-auto-root-luks type= cipher=
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Allocating context for crypt device /dev/gpt-auto-root-luks.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Trying to open and read device /dev/gpt-auto-root-luks with direct-io.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Initialising device-mapper backend library.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: dm version   [ opencount flush ]   [16384] (*1)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: dm versions   [ opencount flush ]   [16384] (*1)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Detected dm-ioctl version 4.48.0.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Device-mapper backend running with UDEV support enabled.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: dm status root  [ opencount noflush ]   [16384] (*1)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Trying to load any crypt type from device /dev/gpt-auto-root-luks.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Crypto backend (OpenSSL 3.2.1 30 Jan 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.2.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Detected kernel Linux 6.8.8-2-cachyos x86_64.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Loading LUKS2 header (repair disabled).
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Acquiring read lock for device /dev/gpt-auto-root-luks.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Locking directory /run/cryptsetup will be created with default compiled-in permissions.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Opening lock resource file /run/cryptsetup/L_259:2
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Verifying lock handle for /dev/gpt-auto-root-luks.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Device /dev/gpt-auto-root-luks READ lock taken.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Trying to read primary LUKS2 header at offset 0x0.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Opening locked device /dev/gpt-auto-root-luks
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Verifying locked device handle (bdev)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: LUKS2 header version 2 of size 16384 bytes, checksum sha256.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Checksum:75a3ee2ad4420553e25f87a99afda6e33bf7b5ac80911bc8a7fb38630430cbde (on-disk)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Checksum:75a3ee2ad4420553e25f87a99afda6e33bf7b5ac80911bc8a7fb38630430cbde (in-memory)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Trying to read secondary LUKS2 header at offset 0x4000.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Reusing open ro fd on device /dev/gpt-auto-root-luks
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: LUKS2 header version 2 of size 16384 bytes, checksum sha256.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Checksum:fd76509cc4facee75a84c410b42ba594d719ddb7b99c603bade6f0a368842839 (on-disk)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Checksum:fd76509cc4facee75a84c410b42ba594d719ddb7b99c603bade6f0a368842839 (in-memory)
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Device size 1022054059520, offset 16777216.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Device /dev/gpt-auto-root-luks READ lock released.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/gpt-auto-root-luks.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Libcryptsetup has external plugins support disabled.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 0.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 1.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 2.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 3.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 4.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 5.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 6.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 7.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 8.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 9.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 10.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 11.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 12.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 13.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 14.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 15.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 16.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 17.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 18.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 19.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 20.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 21.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 22.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 23.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 24.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 25.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 26.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 27.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 28.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 29.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 30.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 31.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: No valid TPM2 token data found.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: No TPM2 metadata enrolled in LUKS2 header, falling back to traditional unlocking.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 0.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 1.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 2.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 3.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 4.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 5.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 6.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 7.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 8.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 9.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 10.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 11.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 12.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 13.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 14.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 15.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 16.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 17.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 18.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 19.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 20.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 21.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 22.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 23.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 24.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 25.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 26.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 27.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 28.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 29.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 30.
avr 30 16:06:36 cachyos systemd-cryptsetup[310]: Requesting JSON for token 31.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Added key to kernel keyring as 190418682.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/gpt-auto-root-luks.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Keyslot 1 priority 1 != 2 (required), skipped.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Keyslot 0 priority 1 != 2 (required), skipped.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Trying to open LUKS2 keyslot 1.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Running keyslot key derivation.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Reading keyslot area [0x47000].
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Acquiring read lock for device /dev/gpt-auto-root-luks.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Opening lock resource file /run/cryptsetup/L_259:2
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Verifying lock handle for /dev/gpt-auto-root-luks.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Device /dev/gpt-auto-root-luks READ lock taken.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Reusing open ro fd on device /dev/gpt-auto-root-luks
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Device /dev/gpt-auto-root-luks READ lock released.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Verifying key from keyslot 1, digest 0.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Digest 0 (pbkdf2) verify failed with -1.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Trying to open LUKS2 keyslot 0.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Running keyslot key derivation.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Reading keyslot area [0x8000].
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Acquiring read lock for device /dev/gpt-auto-root-luks.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Opening lock resource file /run/cryptsetup/L_259:2
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Verifying lock handle for /dev/gpt-auto-root-luks.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Device /dev/gpt-auto-root-luks READ lock taken.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Reusing open ro fd on device /dev/gpt-auto-root-luks
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Device /dev/gpt-auto-root-luks READ lock released.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Verifying key from keyslot 0, digest 0.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Activating volume root [keyslot -1] using key.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm versions   [ opencount flush ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm status root  [ opencount noflush ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm target-version crypt  [ opencount flush ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm versions   [ opencount flush ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Detected dm-crypt version 1.25.0.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Loading key (type logon, name cryptsetup:278a0da5-55fd-427a-b79a-ca57b8ea5419-d0) in thread keyring.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm versions   [ opencount flush ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm status root  [ opencount noflush ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Calculated device size is 1996166567 sectors (RW), offset 32768.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: DM-UUID is CRYPT-LUKS2-278a0da555fd427ab79aca57b8ea5419-root
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Udev cookie 0xd4d138c (semid 0) created
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Udev cookie 0xd4d138c (semid 0) incremented to 1
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Udev cookie 0xd4d138c (semid 0) incremented to 2
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Udev cookie 0xd4d138c (semid 0) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK         (0x20)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm create root CRYPT-LUKS2-278a0da555fd427ab79aca57b8ea5419-root [ opencount flush ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm reload   (254:0) [ opencount flush securedata ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: dm resume root  [ opencount flush securedata ]   [16384] (*1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: root: Stacking NODE_ADD (254,0) 0:0 0600 [trust_udev]
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: root: Stacking NODE_READ_AHEAD 16384 (flags=1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Udev cookie 0xd4d138c (semid 0) decremented to 1
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Udev cookie 0xd4d138c (semid 0) waiting for zero
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Udev cookie 0xd4d138c (semid 0) destroyed
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: root: Skipping NODE_ADD (254,0) 0:0 0600 [trust_udev]
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: root: Processing NODE_READ_AHEAD 16384 (flags=1)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: root (254:0): read ahead is 16384
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: root: retaining kernel read ahead of 16384 (requested 16384)
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Reading EFI variable /sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Loaded 'libtss2-esys.so.0' via dlopen()
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Loaded 'libtss2-rc.so.0' via dlopen()
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Loaded 'libtss2-mu.so.0' via dlopen()
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Using TPM2 TCTI driver 'device' with device '/dev/tpmrm0'.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Loaded 'libtss2-tcti-device.so.0' via dlopen()
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Loaded TCTI module 'tcti-device' (TCTI module for communication with Linux kernel interface.) [Version 2]
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: TPM successfully started up.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Getting TPM2 capability 0x0000 property 0x0001 count 127.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Getting TPM2 capability 0x0002 property 0x011f count 256.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Getting TPM2 capability 0x0008 property 0x0000 count 508.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Getting TPM2 capability 0x0005 property 0x0000 count 1.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: TPM2 PCR bank sha1 has fewer than 24 PCR bits enabled, ignoring.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Reading PCR selection: [sha256(15)]
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Read PCR selection: [sha256(15)]
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: PCR value: 15:sha256=0000000000000000000000000000000000000000000000000000000000000000
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: TPM2 PCR bank sha384 has fewer than 24 PCR bits enabled, ignoring.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Found 1 enabled but un-initialized TPM2 banks.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Successfully extended PCR index 15 with 'cryptsetup:root:278a0da5-55fd-427a-b79a-ca57b8ea5419' and volume key (banks sha256).
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Releasing crypt device /dev/gpt-auto-root-luks context.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Releasing device-mapper backend.
avr 30 16:07:50 cachyos systemd-cryptsetup[310]: Closing read only fd for /dev/gpt-auto-root-luks.
avr 30 16:07:50 cachyos systemd[1]: systemd-cryptsetup@root.service: Child 310 belongs to systemd-cryptsetup@root.service.
avr 30 16:07:50 cachyos systemd[1]: systemd-cryptsetup@root.service: Main process exited, code=exited, status=0/SUCCESS (success)
avr 30 16:07:50 cachyos systemd[1]: systemd-cryptsetup@root.service: Changed start -> exited
avr 30 16:07:50 cachyos systemd[1]: systemd-cryptsetup@root.service: Job 51 systemd-cryptsetup@root.service/start finished, result=done
avr 30 16:07:50 cachyos systemd[1]: systemd-cryptsetup@root.service: Control group is empty.
@capito27 capito27 added the bug 🐛 Programming errors, that need preferential fixing label Apr 30, 2024
@capito27
Copy link
Author

Ideally, gpt-auto-generator should check the existing LUKS keyslot contents of the discovered root partition prior to adding the tpm2-device=auto or fido2-device=auto options, where relevant

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 Programming errors, that need preferential fixing cryptsetup gpt-auto
Milestone
No milestone
Development

No branches or pull requests
1 participant
@capito27