1976462 – Missing libraries for FIDO2 and TPM2 in dracut image

Bug 1976462 - Missing libraries for FIDO2 and TPM2 in dracut image

Summary: Missing libraries for FIDO2 and TPM2 in dracut image

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dracut
Sub Component:
Version:	35
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	dracut-maint-list
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-26 10:51 UTC by Juan Orti
Modified:	2022-08-11 09:48 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-11 09:48:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Juan Orti 2021-06-26 10:51:08 UTC

Description of problem:
Decrypting the LUKS2 root partition with a FIDO2 device or with a TPM2 module does not work out of the box because the needed libraries are not included in the dracut image.

Version-Release number of selected component (if applicable):
dracut-055-2.fc34.x86_64
systemd-248.3-1.fc34.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Enroll LUKS2 root partition with either a FIDO2 device or a TPM2 module.

TPM2:
# systemd-cryptenroll --tpm2-device=/dev/tpmrm0 --tpm2-pcrs=0,7 /dev/nvme0n1p7

FIDO2:
# systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p7

2. Modify /etc/crypttab

TPM2:
luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - tpm2-device=auto,discard

FIDO2:
luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - fido2-device=auto,discard

3. Rebuild initramfs

# dracut -f

4. Reboot


Actual results:
We get these error messages for each case and the user is dropped to a rescue shell.

systemd-cryptsetup[645]: FIDO2 support is not installed.

systemd-cryptsetup[634]: TPM2 support is not installed.

Expected results:
The needed libraries should be pulled in automatically when one of these methods is used in /etc/crypttab

Additional info:
This configuration fixes the issue:

install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "

Comment 1 James 2021-06-26 12:08:59 UTC

I suspect there's bits missing for pkcs11 too -- I've created bug 1975827 for that. I think I'll leave it up to the devs to decide whether it's worth merging that one in with this.

Comment 2 Juan Orti 2021-10-23 11:23:16 UTC

Still an issue in F35:

dracut-055-5.fc35.x86_64
systemd-249.4-2.fc35.x86_64

Comment 3 lejeczek 2021-11-06 12:40:20 UTC

It's a shame that this "bug" survives for this long.
Certainly TPM should be included in vanilla default so users would have a puzzle to solve.
regards, L.

Comment 4 dhpereh@mailbox.org 2021-12-19 18:58:27 UTC

f35, Can confirm. Sadly fell for it without knowing, locking access to my machine.

The configuration suggested fixes the issue.

There is truly no reason for such a bug to exist, the fix is simple and prevents unnecessary inconveniences. 'systemd-cryptenroll' is a bliss for an easy implementation of enhanced security and hopefully should be accessible for the average user.

Comment 5 Gordon Messmer 2022-02-26 04:19:29 UTC

Dracut 056 fixes this problem, and "install_optional_items" should no longer be necessary.

(However, it does require the tpm2-tools package, which is not currently a dependency.)

Comment 6 Juan Orti 2022-04-10 06:09:21 UTC

I've tested unlocking LUKS2 with a TPM2 device using dracut-056-1.fc36.x86_64 and can confirm that the workaround "install_optional_items" is no longer needed.

Comment 7 Pavel Valena 2022-08-11 09:48:01 UTC

Dracut was updated to 057.

I don't think changing any defaults is desired at this point. Feel free to open a new bug or reopen this one in case there're still some issues.

Note You need to log in before you can comment on or make changes to this bug.