Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include tpm2 support in the image #369

Closed
stenwt opened this issue Oct 15, 2022 · 4 comments
Closed

Include tpm2 support in the image #369

stenwt opened this issue Oct 15, 2022 · 4 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@stenwt
Copy link

stenwt commented Oct 15, 2022

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

In order to use systemd-cryptenroll against a tpm2 module on Fedora Silverblue (as of 36), a user must layer tpm2-tools and run this command:
rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss before doing the enrollment

Describe the solution you'd like
A clear and concise description of what you want to happen.

If tpm2-tools was included in the rpm-ostree image and support for tpm2-tss was included by default in the initramfs, a user could jump straight to the systemd-cryptenroll step. Fedora could even offer to enable it during the install process.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

We could continue doing the above manually- I'm also raising this issue to document the required steps.

Additional context
Add any other context or screenshots about the feature request here.
@stenwt stenwt added the enhancement New feature or request label Oct 15, 2022
@travier travier added good first issue Good for newcomers f36 Related to Fedora 36 labels Oct 16, 2022
@Plamper
Copy link

Plamper commented Nov 3, 2022

This would be a great feature indeed, but I believe you still would have to rebuild the initramfs at least once after you changed your /etc/crypttab, because the UUID of the drives have to be present in the initramfs. (Which would be wiped with every new image) So just adding that to the base-image wouldn't work AFAIK.

@travier travier removed the f36 Related to Fedora 36 label May 15, 2023
@travier travier mentioned this issue May 15, 2023
Open
@sahensley
Copy link

It appears that on Silverblue 38 (as of 2023-06-17), the following packages are installed on the base rpm-ostree:
tpm2-tools-5.5-3.fc38.x86_64
tpm2-tss-4.0.1-3.fc38.x86_64

I was able to enroll my via systemd-cryptenroll using a method similar to the Fedora Magazine article.

Regenerating initramfs is still needed but the packages are available now.

@travier travier mentioned this issue May 2, 2024
Open
@gallium-stanza gallium-stanza mentioned this issue May 11, 2024
Closed
@travier
Copy link
Member

travier commented May 13, 2024

We should figure out why those modules are not enabled by default in our initramfs:

  • systemd-pcrphase
  • tpm2-tss

Other instances of this:

@travier
Copy link
Member

travier commented Jun 3, 2024

Thanks for the report. This issue is now tracked in https://gitlab.com/fedora/ostree/sig/-/issues/33 thus I'll close this one.

@travier travier closed this as not planned Won't fix, can't repro, duplicate, stale Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stenwt @sahensley @Plamper @travier