#[SOLVED] no matter how many times I enroll the secure boot keys to TPM dracut asks for my password

So I have an encrypted root volume on /dev/nvme0n1p2, and I have enrolled the decryption keys into the tpm with systemd-cryptenroll.
After regenerating the initramfs, Dracut still asks for the password for the rootfs

how can I get it to use the keys on the tpm
or did I enroll the keys wrong?

.aw luks

have you seen dis section? https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module

as specified here, I generated a recovery key, noted it down and enrolled the keys
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition_with_TPM2_and_Secure_Boot

ya

did u add this?

ya

[sparky@katie ~]$ run0 lsinitrd | grep tpm2-tss
tpm2-tss
-rw-r--r--   1 root     root           89 Oct 20 22:26 usr/lib/sysusers.d/tpm2-tss.conf
-rw-r--r--   1 root     root          592 Oct 20 22:26 usr/lib/tmpfiles.d/tpm2-tss-fapi.conf

tried setting the crypttab.initramfs

lemme check if it will work

it did not

it still asks for the password to decrypt rooffs

rootfs

The TPM will automatically release the key as long as the boot chain is not tampered with.

@marble tartan try to add systemd to your dracut modules

hmm idk if my chain is tampered
how do I check :3

it's there

ah

what do I do now :3

idk im searching for stuffs

if I find smthg I tell u

would get myself a FIDO2 key
if they weren't as expensive as ₺3k

😔

keeping the key in an USB, plugging it and then unplugging it is among the options

(I'm thinking aloud you might ignore me)

@marble tartan there's this but

also was reading this

https://www.reddit.com/r/archlinux/comments/v83q1i/systemd_tpm2_decryption_keeps_asking_for_luks/

I think you can do it while booted?

it is not booted tho
it is between booted and not booted

by specifying a different name? idk

wdym

when the initramfs requests the root volume key

yeah I meant after you boot

to test it

using the command above

Cannot use device /dev/nvme0n1p2 which is in use (already mapped or mounted).

hmm

read dis comment

i'll try a live usb

TPM2 operation failed, falling back to traditional unlocking: Device or resource busy

is root the mapping name you use?

ya

yeah so read the comment on reddit

I think if you specify a different name u might be able to test it even while booted?

im not sure

i tried

that did not work either

ah

hmm

On live system this throws "operation not permitted" errors

Failed to unseal secret using TPM2: Operation not permitted

Found a bug report but that was marked as fixed

idk tbh

:3

@marble tartan https://bbs.archlinux.org/viewtopic.php?id=293760

actually the error is a bit different

idk

clearing the tpm would revoke the secure boot keys

thank you anyway

0fficerk received a thank you cookie!

Yw, sorry my knowledge on this is very limited 😔

it's alright

ig i just find a sd card to decrypt (I have no sd card slots)

what are the keys bound to?

the TPM usually binds to PCR 7, secure boot state, by default

elaborate

theyre bound to that

did you change anything about your secure boot keys, or turned it on or off?

oh, wait

hang on

is this an Ubuntu live ISO?

i did

arch live iso

or otherwise any live ISO which provides secure boot support by default

oh, hm

oh, archlive

mhm

did you sign it with your own keys, or did it just work?

it worked because of ventoy ig

oh, and…

did you sign ventoy?

ya

hm, interesting…

also enrolled the ventoy keys

so, my hunch is that something in the boot process you used involved shim

because shim measures its own keys to PCR 7, and hence would make a shim-booted system not able to unlock your drive

something you can try here is to re-enroll the TPM2, but this time not binding to any PCR registers at all

if it works then it’s probably shim or something else modifying PCR 7

i dont see shim

if shim was somewhat enrolled it should have probably existed in the efibootmgr output

shouldnt it

not necessarily

it’s a live usb right?

that uses the fallback boot path

I’m also talking specifically about the failure in the live environment, not with the main system

mhm

idk

though as for the main system, my one question would be what kernel parameters you are using

~> cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-linux-cachyos root=UUID=d3a547f3-8f66-4507-abf9-519ff8c99fe7 rw rootflags=subvol=@ loglevel=3

ah!

that’s what happened

it doesn’t know to use a TPM by default

you need to tell systemd-cryptsetup explicitly that a TPM is to be used

but crypttab.initramfs

dracut does not include crypttab.initramfs

unless you specified it manually with the --include flag

mhm

on one side I am compiling stuff on a different machine so if I disappear I am probably fixing that machine

anyway, you can bsdtar out the initramfs file you have

to see if there’s even a crypttab file in there

there is none

as to be expected…

so, the quickest fix you can try to apply here

im including it

okay

make sure it’s only named /etc/crypttab in the initramfs

the .initramfs thing is a mkinitcpio extension

aaa

how

the --include flag allows you to rename the file to be included

i recall something like that from dracut(8)

dracut is very weird in this regard because the --include flag can only be used once, for one file

everything else can only be added as the exact name and path they are in the main root

the other option is to forgo a crypttab

mhm

since you’re already getting a password prompt in the first place systemd-gpt-auto-generator seems to be doing its job

so you can just add rd.luks.options=[LUKS block UUID]=tpm2-device=auto

the UUID there is for the LUKS block, not for the filesystem inside

the uuid for nvme0n1p2

yea, that works

i set that

then you can try it!

didnt work

BOOT_IMAGE=/vmlinuz-linux-cachyos root=UUID=d3a547f3-8f66-4507-abf9-519ff8c99fe7 rw rootflags=subvol=@ rd.luks.options=UUID=ff47b26b-0cd8-4510-b662-f04df75e9ba1=tpm2-device=auto loglevel=

loglevel is 3

no need to add the UUID= there

mhm

https://wiki.archlinux.org/title/Dm-crypt/System_configuration#rd.luks.options see this for an example

oh, wait

I didn’t realise you could just omit the UUID

I skimmed through the man page but the Arch Wiki says you can just not specify anything and it’ll apply to all devices

let's see

If only a list of options, without a UUID, is specified, they apply to any UUIDs not specified elsewhere, and without an entry in /etc/crypttab.

if this doesn’t work then it should no longer be a configuration issue but a TPM issue

in which case my next suggestion would be to try and enroll a new key not bound to any PCR registers at all

if this doesn’t work then the TPM is probably busted

if it does work then something about PCR 7 on your motherboard might be borked, or it might have changed when you didn’t look

the tpm boots just fine tho

I’m just laying out future hypotheticals

what matters right now is just the current step, which is to try again with the correct parameter

did not work

did it say anything before dropping you into the password prompt?

like if it had anything about a TPM error

nope

okay, well

as I said, if you still want to try and troubleshoot this, my next suggestion is to wipe the current TPM2 key slot, and replace it with one that isn’t bound to anything

for this, add --tpm2-pcrs='' when enrolling the new TPM slot

~> run0 systemd-cryptenroll --wipe-slot 2
Wiping requested and no block device node specified, refusing.

im stupid

i did it

the tpm slot was 2

yup, you just forgot to specify the disk at the end

which is a mistake I still make too

ya wiped it

on one side I am compiling a window manager

so well I might be slow to respond

do I enroll again now

yea!

you can then try and open it in a live USB again

if it works then you could try booting the main system

since it’s not bound to anything it should really just work this time

if it doesn’t then this is a Cursed Hardware Issue that is beyond my capacity to help

fleuriafluoride received a thank you cookie!

thank you so much @sacred hollow

of course!

you can tell me how it goes once you try unlocking it

On live usb it unlocks

On machine it does not

then it seems something is still wrong with the configuration for your initramfs…

since this is cachyos, did it make a crypttab in the main root?

ya

an empty one

well the cachyos installer failed to finish so I just installed the rest of the system myself

hm…

well, we could try to explicitly instruct systemd-cryptsetup-generator using kernel parameters as in here

though we already tried that once and it didn’t turn out too well…

mkinitcpio

oh, sure, use mkinitcpio

i use dracut, not mkinitcpio

oh

I misinterpreted

well, the kernel parameters should still work since they’re supposed to be for systemd, not dracut or mkinitcpio in particular

but if it doesn’t we can try to embed a crypttab into the initramfs

if you want to use the /etc/crypttab.initramfs name for this, then you have to find whatever script is running dracut and then add --include /etc/crypttab.initramfs /etc/crypttab to the list of options

what if I embed the key into the initrd

you can do that, too!

it's a bit dangerous

but nobody that could possibly gain physical access to my machine would be computer literate enough to comprehend that

how do I proceed now

well, you can just create a keyfile in the default location

in your case this would be something like /etc/cryptsetup-keys.d/root.key

and you can add a dracut configuration file to have dracut add it to your initramfs

ideally systemd-gpt-auto-generator and systemd-cryptsetup-generator will work together to automatically use it to unlock your root partition

if not… I guess dracut would be really weird

oki

i will check

But I have to setup another machine now

@marble tartan why use tpm?

because I do not want to enter my password every time to the obnoxious prompt

and no I wont use plymouth

setting up plymouth is another nightmare

and I dont have a card reader either

alright this is what happens when I install the keys to the initrd

dracut-install: ERROR: installing '/etc/cryptsetup.keys.d/root.key'
dracut[E]: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.9mSnen/initramfs -a /etc/cryptsetup.keys.d/root.key

install_items+=" /etc/cryptsetup.keys.d/root.key "

this is my miserable config file

did you misspell the name? it should be cryptsetup-keys.d not cryptsetup.keys.d

oops

fixed that

now I add a crypttab to the initrd right?

you don’t need to, hopefully

it’s named root.key so it will automatically be used for /dev/mapper/root

and systemd-gpt-auto-generator will automatically name the decrypted root device root

but if you reboot and this doesn’t work, you can add a crypttab or rd.luks options

that did not work so I added luks options

okay, sure

wait…

I might have forgot this whole time

dracut adds options to your initramfs automatically without asking!

wdym

it will automatically detect command line options

and put it into the initramfs

and that has probably been screwing over systemd’s automatic systems this whole time

so do I now uhh

remove the rd prefix

or do I remove the cmdline altogether

you don’t need to since you will only decrypt the device in the initramfs

there’s an option for no hostonly cmdline

that will prevent dracut from adding options

you can check the man page to see how it’s spelled

regenerated the initramfs

rebooting

it did not work

okay, this is very late but my question would then be if you’re actually using systemd-gpt-auto-generator

that was another assumption I was making that could be wrong

well how do I check

do you have any root= parameters in your command line?

ya

read-write mount of the open luks volume

and do you have parameters that specify the LUKS volume?

wdym

like, did you add the rd.luks parameters that specified name and UUID and stuff per the Arch Wiki?

yes

in that case, the only thing left to do is to add the parameter explicitly describing the location of the keyfile too

and if somehow, after all of that, it still doesn’t work

then this is a Cursed Problem and I would recommend trying mkinitcpio

oki ty

(I tried that too, that one did not work either)

like I have a mkinitcpio initramfs with all the systemd bells and whistles

and the stuff I’ve done with crypto stuff all worked first try

so I give mkinitcpio another chance

mkinitcpio worked, apparently

how do I get rid of dracut now

thank you all @sacred hollow, @opaque marlin and @limpid swan

fleuriafluoride, 0fficerk, and killertofus received a thank you cookie!

yw :)

just uninstall the package ig?

nope I cannot

also yay sbctl cannot sign grub now

haha

[SOLVED] no matter how many times I enroll the secure boot keys to TPM dracut asks for my password