Auto mounting LUKS with TMP2

Hi to all,
I’m trying to get a non-root partition encrypted with LUKS decrypted and mounted automatically using TMP2. Unfortunately, I’m not able to get this working. At every reboot, I need to manually insert the password to unlock the partition and continue to the login screen. I’m currently using a fresh installation of Fedora 40.
Here are some details about what I’ve done so far.
First some hardware configuration.

$ inxi -Fxz
System:
  Kernel: 6.8.11-300.fc40.x86_64 arch: x86_64 bits: 64 compiler: gcc
    v: 2.41-37.fc40
  Desktop: GNOME v: 46.2 Distro: Fedora Linux 40 (Workstation Edition)
Machine:
  Type: Laptop System: LENOVO product: 20N6001JUK v: ThinkPad P53s
    serial: <superuser required>
  Mobo: LENOVO model: 20N6001JUK v: SDK0J40697 WIN
    serial: <superuser required> UEFI: LENOVO v: N2IETA4W (1.82 )
    date: 02/22/2024
Battery:
  ID-1: BAT0 charge: 45.6 Wh (94.8%) condition: 48.1/57.0 Wh (84.4%)
    volts: 12.3 min: 11.5 model: SMP 02DL012 status: discharging
CPU:
  Info: quad core model: Intel Core i7-8665U bits: 64 type: MT MCP
    arch: Comet/Whiskey Lake note: check rev: C cache: L1: 256 KiB L2: 1024 KiB
    L3: 8 MiB
  Speed (MHz): avg: 537 high: 700 min/max: 400/4800 cores: 1: 700 2: 600
    3: 700 4: 400 5: 700 6: 400 7: 400 8: 400 bogomips: 33599
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: Intel WhiskeyLake-U GT2 [UHD Graphics 620] vendor: Lenovo
    driver: i915 v: kernel arch: Gen-9.5 bus-ID: 00:02.0
  Device-2: NVIDIA GP108GLM [Quadro P520] vendor: Lenovo driver: nvidia
    v: 550.78 arch: Pascal bus-ID: 3c:00.0
  Device-3: Chicony ThinkPad T490 Webcam driver: uvcvideo type: USB
    bus-ID: 1-8:3
  Display: wayland server: X.Org v: 24.1 with: Xwayland v: 24.1.0
    compositor: gnome-shell driver: dri: iris gpu: i915
    resolution: 1920x1080~60Hz
  API: OpenGL v: 4.6 vendor: intel mesa v: 24.0.8 glx-v: 1.4
    direct-render: yes renderer: Mesa Intel UHD Graphics 620 (WHL GT2)
  API: EGL Message: EGL data requires eglinfo. Check --recommends.
Audio:
  Device-1: Intel Cannon Point-LP High Definition Audio vendor: Lenovo
    driver: snd_hda_intel v: kernel bus-ID: 00:1f.3
  API: ALSA v: k6.8.11-300.fc40.x86_64 status: kernel-api
  Server-1: JACK v: 1.9.22 status: off
  Server-2: PipeWire v: 1.0.7 status: active
Network:
  Device-1: Intel Cannon Point-LP CNVi [Wireless-AC] driver: iwlwifi v: kernel
    bus-ID: 00:14.3
  IF: wlp0s20f3 state: up mac: <filter>
  Device-2: Intel Ethernet I219-LM vendor: Lenovo driver: e1000e v: kernel
    port: N/A bus-ID: 00:1f.6
  IF: enp0s31f6 state: down mac: <filter>
Bluetooth:
  Device-1: Intel Bluetooth 9460/9560 Jefferson Peak (JfP) driver: btusb
    v: 0.8 type: USB bus-ID: 1-10:5
  Report: btmgmt ID: hci0 rfk-id: 4 state: up address: <filter> bt-v: 5.1
    lmp-v: 10
Drives:
  Local Storage: total: 476.94 GiB used: 26.35 GiB (5.5%)
  ID-1: /dev/nvme0n1 vendor: Western Digital model: PC SN720
    SDAQNTW-512G-1001 size: 476.94 GiB temp: 44.9 C
Partition:
  ID-1: / size: 271.44 GiB used: 25.25 GiB (9.3%) fs: btrfs
    dev: /dev/nvme0n1p6
  ID-2: /boot size: 973.4 MiB used: 463.1 MiB (47.6%) fs: ext4
    dev: /dev/nvme0n1p5
  ID-3: /boot/efi size: 996 MiB used: 657.6 MiB (66.0%) fs: vfat
    dev: /dev/nvme0n1p1
  ID-4: /home size: 271.44 GiB used: 25.25 GiB (9.3%) fs: btrfs
    dev: /dev/nvme0n1p6
Swap:
  ID-1: swap-1 type: zram size: 8 GiB used: 0 KiB (0.0%) dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 43.0 C mobo: N/A
  Fan Speeds (rpm): N/A
Info:
  Memory: total: 32 GiB note: est. available: 30.97 GiB used: 5.78 GiB (18.7%)
  Processes: 356 Uptime: 5h 9m Init: systemd target: graphical (5)
  Packages: 30 Compilers: gcc: 14.1.1 Shell: Bash v: 5.2.26 inxi: 3.3.34

From here, https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/ I got the info about secure boot and TMP2 module

$ sudo dmesg | grep Secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.013549] secureboot: Secure boot enabled
[    5.665835] Bluetooth: hci0: Secure boot is enabled
[  950.920211] Bluetooth: hci0: Secure boot is enabled
[ 3714.754269] Bluetooth: hci0: Secure boot is enabled

$ sudo  dmesg | grep TPM
[    0.000000] efi: TPMFinalLog=0x6fca2000 SMBIOS=0x6ddca000 SMBIOS 3.0=0x6ddbd000 ACPI=0x6fd0e000 ACPI 2.0=0x6fd0e014 MEMATTR=0x687dc018 ESRT=0x6dba3000 MOKvar=0x6c1ad000 RNG=0x6fd0d018 TPMEventLog=0x486f2018 
[    0.013620] ACPI: TPM2 0x000000006DBDA000 000034 (v04 LENOVO TP-N2I   00001820 PTEC 00000002)

so I created a LUKS partition as described here https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/#_overview_of_luks, with the result shown below

$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
zram0                                         252:0    0     8G  0 disk  [SWAP]
nvme0n1                                       259:0    0 476,9G  0 disk  
├─nvme0n1p1                                   259:1    0  1000M  0 part  /boot/efi
├─nvme0n1p2                                   259:2    0    16M  0 part  
├─nvme0n1p3                                   259:3    0   183G  0 part  
├─nvme0n1p4                                   259:4    0     1G  0 part  
├─nvme0n1p5                                   259:5    0     1G  0 part  /boot
├─nvme0n1p6                                   259:6    0 271,4G  0 part  /home
│                                                                        /
└─nvme0n1p7                                   259:7    0  19,5G  0 part  
  └─luks-f5578c88-e00f-4000-8c64-37542b3f7d6b 253:0    0  19,5G  0 crypt 

and

$ sudo cryptsetup isLuks /dev/nvme0n1p7 && echo Success
Success

I could provide the output of sudo cryptsetup luksDump /dev/nvme0n1p7 if necessary.
Then I followed step by step the command in https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/

$ echo "add_dracutmodules+=\" tpm2-tss \"" | sudo tee /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "

$ sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "0+1+2+3+4+5+7+9" /dev/nvme0n1p7

$ sudo dracut -f

Here my /etc/crypttab

$ cat /etc/crypttab 
luks-f5578c88-e00f-4000-8c64-37542b3f7d6b	 UUID=f5578c88-e00f-4000-8c64-37542b3f7d6b  tpm2-device=auto,tpm2-pcrs=0+1+2+3+4+5+7+9

At this point, adding the following line in /etc/fstab causes an error that locks the whole boot process.

#UUID=/dev/mapper/luks-f5578c88-e00f-4000-8c64-37542b3f7d6b	/home/LUKS	ext4	defaults	0 0

While deleting (commented) make the LUKS password prompt appear at boot.
Surely I’m missing something, but I can’t actually figure it out.
I tried to be as detailed as I can. Any advice would be appreciated.
Many thanks in advance.

You could add nofail to the options for that entry in fstab to allow the system to continue booting when the device does not mount.

You could also test that fstab entry after creating it to verify it works properly by using sudo mount -a. This way you are certain it will work and not cause a lock up during boot.

I don’t use luks so cannot assist with that part, but my comments are related to using fstab and testing the entries there. There are many options that apply to the mount command and can be used in /etc/fstab.

I am guessing here, but maybe there is another option to be used in fstab for encrypted file systems.

1 Like

At a guess, it’s probably the PCR set, try using just PCR 7.
Since Fedora updates so often, PCR 4-5,8-9 can easily change on a day by day basis.

:stop_sign:
Please do not, That’s the Dump for the Header. basically showing Key slots and other information.