Bug 1976462 - Missing libraries for FIDO2 and TPM2 in dracut image
Summary: Missing libraries for FIDO2 and TPM2 in dracut image
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: dracut
Version: 35
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: dracut-maint-list
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-26 10:51 UTC by Juan Orti
Modified: 2022-08-11 09:48 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-11 09:48:01 UTC
Type: Bug

Attachments (Terms of Use)

Description Juan Orti 2021-06-26 10:51:08 UTC 
Description of problem:
Decrypting the LUKS2 root partition with a FIDO2 device or with a TPM2 module does not work out of the box because the needed libraries are not included in the dracut image.

Version-Release number of selected component (if applicable):
dracut-055-2.fc34.x86_64
systemd-248.3-1.fc34.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Enroll LUKS2 root partition with either a FIDO2 device or a TPM2 module.

TPM2:
# systemd-cryptenroll --tpm2-device=/dev/tpmrm0 --tpm2-pcrs=0,7 /dev/nvme0n1p7

FIDO2:
# systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p7

2. Modify /etc/crypttab

TPM2:
luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - tpm2-device=auto,discard

FIDO2:
luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - fido2-device=auto,discard

3. Rebuild initramfs

# dracut -f

4. Reboot


Actual results:
We get these error messages for each case and the user is dropped to a rescue shell.

systemd-cryptsetup[645]: FIDO2 support is not installed.

systemd-cryptsetup[634]: TPM2 support is not installed.

Expected results:
The needed libraries should be pulled in automatically when one of these methods is used in /etc/crypttab

Additional info:
This configuration fixes the issue:

install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
Comment 1 James 2021-06-26 12:08:59 UTC 
I suspect there's bits missing for pkcs11 too -- I've created bug 1975827 for that. I think I'll leave it up to the devs to decide whether it's worth merging that one in with this.
Comment 2 Juan Orti 2021-10-23 11:23:16 UTC 
Still an issue in F35:

dracut-055-5.fc35.x86_64
systemd-249.4-2.fc35.x86_64
Comment 3 lejeczek 2021-11-06 12:40:20 UTC 
It's a shame that this "bug" survives for this long.
Certainly TPM should be included in vanilla default so users would have a puzzle to solve.
regards, L.
Comment 4 dhpereh@mailbox.org 2021-12-19 18:58:27 UTC 
f35, Can confirm. Sadly fell for it without knowing, locking access to my machine.

The configuration suggested fixes the issue.

There is truly no reason for such a bug to exist, the fix is simple and prevents unnecessary inconveniences. 'systemd-cryptenroll' is a bliss for an easy implementation of enhanced security and hopefully should be accessible for the average user.
Comment 5 Gordon Messmer 2022-02-26 04:19:29 UTC 
Dracut 056 fixes this problem, and "install_optional_items" should no longer be necessary.

(However, it does require the tpm2-tools package, which is not currently a dependency.)
Comment 6 Juan Orti 2022-04-10 06:09:21 UTC 
I've tested unlocking LUKS2 with a TPM2 device using dracut-056-1.fc36.x86_64 and can confirm that the workaround "install_optional_items" is no longer needed.
Comment 7 Pavel Valena 2022-08-11 09:48:01 UTC 
Dracut was updated to 057.

I don't think changing any defaults is desired at this point. Feel free to open a new bug or reopen this one in case there're still some issues.
Note You need to log in before you can comment on or make changes to this bug.