Bug 1976462

Summary: Missing libraries for FIDO2 and TPM2 in dracut image
Product: [Fedora] Fedora Reporter: Juan Orti <jorti>
Component: dracutAssignee: dracut-maint-list
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 35CC: anssi.hannula, Daniel, dhpereh, dracut-maint-list, francois.rigault, gordon.messmer, james, jean, jonathan, marco.ce89, me, peljasz, pvalena, thofmann, vilgot, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-11 09:48:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Juan Orti 2021-06-26 10:51:08 UTC
Description of problem:
Decrypting the LUKS2 root partition with a FIDO2 device or with a TPM2 module does not work out of the box because the needed libraries are not included in the dracut image.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Enroll LUKS2 root partition with either a FIDO2 device or a TPM2 module.

# systemd-cryptenroll --tpm2-device=/dev/tpmrm0 --tpm2-pcrs=0,7 /dev/nvme0n1p7

# systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p7

2. Modify /etc/crypttab

luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - tpm2-device=auto,discard

luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - fido2-device=auto,discard

3. Rebuild initramfs

# dracut -f

4. Reboot

Actual results:
We get these error messages for each case and the user is dropped to a rescue shell.

systemd-cryptsetup[645]: FIDO2 support is not installed.

systemd-cryptsetup[634]: TPM2 support is not installed.

Expected results:
The needed libraries should be pulled in automatically when one of these methods is used in /etc/crypttab

Additional info:
This configuration fixes the issue:

install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "

Comment 1 James 2021-06-26 12:08:59 UTC
I suspect there's bits missing for pkcs11 too -- I've created bug 1975827 for that. I think I'll leave it up to the devs to decide whether it's worth merging that one in with this.

Comment 2 Juan Orti 2021-10-23 11:23:16 UTC
Still an issue in F35:


Comment 3 lejeczek 2021-11-06 12:40:20 UTC
It's a shame that this "bug" survives for this long.
Certainly TPM should be included in vanilla default so users would have a puzzle to solve.
regards, L.

Comment 4 dhpereh@mailbox.org 2021-12-19 18:58:27 UTC
f35, Can confirm. Sadly fell for it without knowing, locking access to my machine.

The configuration suggested fixes the issue.

There is truly no reason for such a bug to exist, the fix is simple and prevents unnecessary inconveniences. 'systemd-cryptenroll' is a bliss for an easy implementation of enhanced security and hopefully should be accessible for the average user.

Comment 5 Gordon Messmer 2022-02-26 04:19:29 UTC
Dracut 056 fixes this problem, and "install_optional_items" should no longer be necessary.

(However, it does require the tpm2-tools package, which is not currently a dependency.)

Comment 6 Juan Orti 2022-04-10 06:09:21 UTC
I've tested unlocking LUKS2 with a TPM2 device using dracut-056-1.fc36.x86_64 and can confirm that the workaround "install_optional_items" is no longer needed.

Comment 7 Pavel Valena 2022-08-11 09:48:01 UTC
Dracut was updated to 057.

I don't think changing any defaults is desired at this point. Feel free to open a new bug or reopen this one in case there're still some issues.