Created attachment 1594384 [details]
Patch to remove network dependency from clevis-dracut
Description of problem:
Cannot use clevis-dracut to automatically decrypt the root volume without enabling network in the initrd generated by dracut/clevis-dracut.
When using the TPM2 encryptor, there is no need for networking features, DHCP or otherwise.
Not a duplicate of 1497566, since that relates to the configuration of early boot networking, while this is related to the removal of networking as a dracut dependency of clevis-dracut.
Although most other usecases of clevis require network, the tpm2 encryptor does not, thus, the early-boot networking dependency should/could/in some fashion be removed from clevis-dracut.
Creating a dracut conf file containing "omit_dracutmodules+="ifcfg network"" disables early boot network by removing it from the initrd.
However, it also prevents the root volume from automatically unlocking.
If /usr/lib/dracut/modules.d/60clevis/module-setup.sh (built from clevis-7-8.el7.src.rpm) is patched as attached and the aforementioned dracut conf file is created, the system works as expected.
That is, the network is not configured during early-boot, and the system automatically unlocks the root volume.
This is not a satisfactory solution, as later updates to clevis-dracut will overwrite this file and hang on start, since the automatic unlocking feature will cease to work.
Version-Release number of selected component (if applicable):
clevis, clevis-dracut, clevis-luks, clevis-systemd 7-8.el7
tpm2-tss, tpm2-tss-devel 1.4.0-2.el7
Red Hat 7.7Beta
Red Hat 7.6
Steps to Reproduce:
1. Encrypt Hard Drive
2. Use clevis-luks-bind with TPM2 chip binding "clevis luks bind -d <device> tpm2"
3. Install clevis-dracut to automatically decrypt hard drive
4. Run "dracut -fv --regenerate-all" to update initrd
5. Reboot and watch the system automatically decrypt/mount the LUKS-encrypted volume using clevis
6. Use "ip addr" to see that system has DHCP-assigned IP addresses
1 - System boots and decrypts the root volume automatically, successfully during early boot.
2a - System configures networking and receives DHCP lease during early boot.
2b - Alternatively, clevis/dracut/clevis-dracut cannot be configured to not configure kernel networking.
1 - System boots and decrypts the root volume automatically, successfully, during early boot.
2a - System does not configure kernel networking during early boot.
2b - Alternatively, clevis/dracut/clevis-dracut can be configured to not configure kernel networking during early boot.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.