Hi to all,
I’m trying to get a non-root partition encrypted with LUKS decrypted and mounted automatically using TMP2. Unfortunately, I’m not able to get this working. At every reboot, I need to manually insert the password to unlock the partition and continue to the login screen. I’m currently using a fresh installation of Fedora 40.
Here are some details about what I’ve done so far.
First some hardware configuration.
$ inxi -Fxz
System:
Kernel: 6.8.11-300.fc40.x86_64 arch: x86_64 bits: 64 compiler: gcc
v: 2.41-37.fc40
Desktop: GNOME v: 46.2 Distro: Fedora Linux 40 (Workstation Edition)
Machine:
Type: Laptop System: LENOVO product: 20N6001JUK v: ThinkPad P53s
serial: <superuser required>
Mobo: LENOVO model: 20N6001JUK v: SDK0J40697 WIN
serial: <superuser required> UEFI: LENOVO v: N2IETA4W (1.82 )
date: 02/22/2024
Battery:
ID-1: BAT0 charge: 45.6 Wh (94.8%) condition: 48.1/57.0 Wh (84.4%)
volts: 12.3 min: 11.5 model: SMP 02DL012 status: discharging
CPU:
Info: quad core model: Intel Core i7-8665U bits: 64 type: MT MCP
arch: Comet/Whiskey Lake note: check rev: C cache: L1: 256 KiB L2: 1024 KiB
L3: 8 MiB
Speed (MHz): avg: 537 high: 700 min/max: 400/4800 cores: 1: 700 2: 600
3: 700 4: 400 5: 700 6: 400 7: 400 8: 400 bogomips: 33599
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
Device-1: Intel WhiskeyLake-U GT2 [UHD Graphics 620] vendor: Lenovo
driver: i915 v: kernel arch: Gen-9.5 bus-ID: 00:02.0
Device-2: NVIDIA GP108GLM [Quadro P520] vendor: Lenovo driver: nvidia
v: 550.78 arch: Pascal bus-ID: 3c:00.0
Device-3: Chicony ThinkPad T490 Webcam driver: uvcvideo type: USB
bus-ID: 1-8:3
Display: wayland server: X.Org v: 24.1 with: Xwayland v: 24.1.0
compositor: gnome-shell driver: dri: iris gpu: i915
resolution: 1920x1080~60Hz
API: OpenGL v: 4.6 vendor: intel mesa v: 24.0.8 glx-v: 1.4
direct-render: yes renderer: Mesa Intel UHD Graphics 620 (WHL GT2)
API: EGL Message: EGL data requires eglinfo. Check --recommends.
Audio:
Device-1: Intel Cannon Point-LP High Definition Audio vendor: Lenovo
driver: snd_hda_intel v: kernel bus-ID: 00:1f.3
API: ALSA v: k6.8.11-300.fc40.x86_64 status: kernel-api
Server-1: JACK v: 1.9.22 status: off
Server-2: PipeWire v: 1.0.7 status: active
Network:
Device-1: Intel Cannon Point-LP CNVi [Wireless-AC] driver: iwlwifi v: kernel
bus-ID: 00:14.3
IF: wlp0s20f3 state: up mac: <filter>
Device-2: Intel Ethernet I219-LM vendor: Lenovo driver: e1000e v: kernel
port: N/A bus-ID: 00:1f.6
IF: enp0s31f6 state: down mac: <filter>
Bluetooth:
Device-1: Intel Bluetooth 9460/9560 Jefferson Peak (JfP) driver: btusb
v: 0.8 type: USB bus-ID: 1-10:5
Report: btmgmt ID: hci0 rfk-id: 4 state: up address: <filter> bt-v: 5.1
lmp-v: 10
Drives:
Local Storage: total: 476.94 GiB used: 26.35 GiB (5.5%)
ID-1: /dev/nvme0n1 vendor: Western Digital model: PC SN720
SDAQNTW-512G-1001 size: 476.94 GiB temp: 44.9 C
Partition:
ID-1: / size: 271.44 GiB used: 25.25 GiB (9.3%) fs: btrfs
dev: /dev/nvme0n1p6
ID-2: /boot size: 973.4 MiB used: 463.1 MiB (47.6%) fs: ext4
dev: /dev/nvme0n1p5
ID-3: /boot/efi size: 996 MiB used: 657.6 MiB (66.0%) fs: vfat
dev: /dev/nvme0n1p1
ID-4: /home size: 271.44 GiB used: 25.25 GiB (9.3%) fs: btrfs
dev: /dev/nvme0n1p6
Swap:
ID-1: swap-1 type: zram size: 8 GiB used: 0 KiB (0.0%) dev: /dev/zram0
Sensors:
System Temperatures: cpu: 43.0 C mobo: N/A
Fan Speeds (rpm): N/A
Info:
Memory: total: 32 GiB note: est. available: 30.97 GiB used: 5.78 GiB (18.7%)
Processes: 356 Uptime: 5h 9m Init: systemd target: graphical (5)
Packages: 30 Compilers: gcc: 14.1.1 Shell: Bash v: 5.2.26 inxi: 3.3.34
From here, https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/ I got the info about secure boot and TMP2 module
$ sudo dmesg | grep Secure
[ 0.000000] secureboot: Secure boot enabled
[ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[ 0.013549] secureboot: Secure boot enabled
[ 5.665835] Bluetooth: hci0: Secure boot is enabled
[ 950.920211] Bluetooth: hci0: Secure boot is enabled
[ 3714.754269] Bluetooth: hci0: Secure boot is enabled
$ sudo dmesg | grep TPM
[ 0.000000] efi: TPMFinalLog=0x6fca2000 SMBIOS=0x6ddca000 SMBIOS 3.0=0x6ddbd000 ACPI=0x6fd0e000 ACPI 2.0=0x6fd0e014 MEMATTR=0x687dc018 ESRT=0x6dba3000 MOKvar=0x6c1ad000 RNG=0x6fd0d018 TPMEventLog=0x486f2018
[ 0.013620] ACPI: TPM2 0x000000006DBDA000 000034 (v04 LENOVO TP-N2I 00001820 PTEC 00000002)
so I created a LUKS partition as described here https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/#_overview_of_luks, with the result shown below
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
zram0 252:0 0 8G 0 disk [SWAP]
nvme0n1 259:0 0 476,9G 0 disk
├─nvme0n1p1 259:1 0 1000M 0 part /boot/efi
├─nvme0n1p2 259:2 0 16M 0 part
├─nvme0n1p3 259:3 0 183G 0 part
├─nvme0n1p4 259:4 0 1G 0 part
├─nvme0n1p5 259:5 0 1G 0 part /boot
├─nvme0n1p6 259:6 0 271,4G 0 part /home
│ /
└─nvme0n1p7 259:7 0 19,5G 0 part
└─luks-f5578c88-e00f-4000-8c64-37542b3f7d6b 253:0 0 19,5G 0 crypt
and
$ sudo cryptsetup isLuks /dev/nvme0n1p7 && echo Success
Success
I could provide the output of sudo cryptsetup luksDump /dev/nvme0n1p7
if necessary.
Then I followed step by step the command in https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/
$ echo "add_dracutmodules+=\" tpm2-tss \"" | sudo tee /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "
$ sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "0+1+2+3+4+5+7+9" /dev/nvme0n1p7
$ sudo dracut -f
Here my /etc/crypttab
$ cat /etc/crypttab
luks-f5578c88-e00f-4000-8c64-37542b3f7d6b UUID=f5578c88-e00f-4000-8c64-37542b3f7d6b tpm2-device=auto,tpm2-pcrs=0+1+2+3+4+5+7+9
At this point, adding the following line in /etc/fstab
causes an error that locks the whole boot process.
#UUID=/dev/mapper/luks-f5578c88-e00f-4000-8c64-37542b3f7d6b /home/LUKS ext4 defaults 0 0
While deleting (commented) make the LUKS password prompt appear at boot.
Surely I’m missing something, but I can’t actually figure it out.
I tried to be as detailed as I can. Any advice would be appreciated.
Many thanks in advance.