Description of problem:
Decrypting the LUKS2 root partition with a FIDO2 device or with a TPM2 module does not work out of the box because the needed libraries are not included in the dracut image.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enroll LUKS2 root partition with either a FIDO2 device or a TPM2 module.
# systemd-cryptenroll --tpm2-device=/dev/tpmrm0 --tpm2-pcrs=0,7 /dev/nvme0n1p7
# systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p7
2. Modify /etc/crypttab
luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - tpm2-device=auto,discard
luks-9e4a0d32-860a-4c93-8ce8-a949e55dafe9 UUID=9e4a0d32-860a-4c93-8ce8-a949e55dafe9 - fido2-device=auto,discard
3. Rebuild initramfs
# dracut -f
We get these error messages for each case and the user is dropped to a rescue shell.
systemd-cryptsetup: FIDO2 support is not installed.
systemd-cryptsetup: TPM2 support is not installed.
The needed libraries should be pulled in automatically when one of these methods is used in /etc/crypttab
This configuration fixes the issue:
install_optional_items+=" /usr/lib64/libtss2* /usr/lib64/libfido2.so.* "
I suspect there's bits missing for pkcs11 too -- I've created bug 1975827 for that. I think I'll leave it up to the devs to decide whether it's worth merging that one in with this.
Still an issue in F35:
It's a shame that this "bug" survives for this long.
Certainly TPM should be included in vanilla default so users would have a puzzle to solve.
f35, Can confirm. Sadly fell for it without knowing, locking access to my machine.
The configuration suggested fixes the issue.
There is truly no reason for such a bug to exist, the fix is simple and prevents unnecessary inconveniences. 'systemd-cryptenroll' is a bliss for an easy implementation of enhanced security and hopefully should be accessible for the average user.
Dracut 056 fixes this problem, and "install_optional_items" should no longer be necessary.
(However, it does require the tpm2-tools package, which is not currently a dependency.)
I've tested unlocking LUKS2 with a TPM2 device using dracut-056-1.fc36.x86_64 and can confirm that the workaround "install_optional_items" is no longer needed.
Dracut was updated to 057.
I don't think changing any defaults is desired at this point. Feel free to open a new bug or reopen this one in case there're still some issues.