RHEL8 with LUKS using auto-unlock with a key stored in TPM1.2 accessed by trousers/tpm-tools.

Posted on

Looking to pair LUKS under RHEL8.8 with auto-unlock by retrieving the key stored in a TPM1.2 device.

As a test RHEL8.8 was installed, setup and locked requiring a passphrase.
Trousers/tpm-tools was installed and a key was added to the TPM1.2 at index 1 and can be successfully read using tpm_nvread.

This RHEL8 install boots, and asks for the pass-phrase without issue and the extra key was added to LUKS following the RedHat article, #230993. The added key and what is stored in the TPM1.2 are identical.

Adding the TPM auto-unlock piece seems straight forward by way of a github submission; https://github.com/gastamper/dracut-tpm which makes use of tpm_nvread (using Method 0).

Following all this, dracut -f completes without error and the scripts born from the github repo do appear in /usr/lib/dracut/modules.d/50dracuttpm on the target system. However, at boot, you eventually get dropped into Dracut# from the timeout period after seeing, Failed to start Cryptography Setup for luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

Once in Dracut# poking around you quickly realize that cryptsetup isn't there.

The hook script, when modified tries to force cryptsetup into Dracut, which completes with no error. However, cryptsetup never appears inside /sbin while tcsd, tpm_nvread do.

install() {
inst_hook initqueue/online 50 "$moddir/nv-hook.sh"
inst_hook initqueue/settled 50 "$moddir/nv-hook.sh"

inst_multiple nc nv_readvalue tcsd tpm_nvread /etc/hosts

inst_multiple nc tcsd tpm_nvread /etc/hosts cryptsetup

dracut_need_initqueue

}

Responses