Hi,
I am new to FCOS. I would like to set everything up through a butane/ignition file. I started with:
variant: fcos
version: 1.4.0
passwd:
users:
- name: core
ssh_authorized_keys:
- XXX
password_hash: XXX
This install worked. Now, I would like to add LUKS Full disk encryption with TPM2 decryption from https://docs.fedoraproject.org/en-US/fedora-coreos/storage/#_encrypted_storage_luks
variant: fcos
version: 1.4.0
passwd:
users:
- name: core
ssh_authorized_keys:
- XXX
password_hash: XXX
storage:
luks:
- name: root
label: luks-root
device: /dev/disk/by-partlabel/root
clevis:
custom:
needs_network: false
pin: tpm2
config: '{"pcr_bank":"sha1","pcr_ids":"7"}'
wipe_volume: true
filesystems:
- device: /dev/mapper/root
format: xfs
wipe_filesystem: true
label: root
This fails with the following error:
[ OK ] Stopped Ignition OSTree Transposefs Detect Service - Ignition OSTree: Detect Partition Transposition.
[ OK ] Stopped Ignition OSTree Transposefs Detect Service - Ignition OSTree: Detect Partition Transposition.
[FAILED] Failed to mount sysroot.mount - /sysroot.
[FAILED] Failed to load environment files: No such file or directory
[FAILED] Failed to spawn 'mount' task: No such file or directory
[FAILED] Failed with result 'resources'.
See 'systemctl status sysroot.mount' for details.
[ OK ] Startup finished in 22.895s (firmware) + 5.487s (loader) + 1.745s (kernel) + 0 (initrd) + 22.660s (userspace) = 52.789s.
Ignition has failed. Please ensure your config is valid. Note that only Ignition spec v3.0.0 configs are accepted.
A CLI validation tool to check this called ignition-validate can be downloaded from GitHub:
https://github.com/coreos/ignition/releases
Displaying logs from failed units: sysroot.mount, ignition-disks.service
Dec 29 22:27:08 systemd[1]: sysroot.mount: Failed to load environment files: No such file or directory
Dec 29 22:27:08 systemd[1]: sysroot.mount: Failed to spawn 'mount' task: No such file or directory
Dec 29 22:27:08 systemd[1]: sysroot.mount: Failed with result 'resources'.
Dec 29 22:27:08 systemd[1]: Failed to mount sysroot.mount - /sysroot.
Dec 29 22:27:08 ignition[924]: {
Dec 29 22:27:08 ignition[924]: "enabled": true,
Dec 29 22:27:08 ignition[924]: "name": "afterburn-sshkeys@core.service"
Dec 29 22:27:08 ignition[924]: }
Dec 29 22:27:08 ignition[924]: Failed with result 'exit-code'.
Dec 29 22:27:08 systemd[1]: Failed to start ignition-disks.service - Ignition (disks).
Dec 29 22:27:08 systemd[1]: ignition-disks.service: Consumed 33.059s CPU time, 16 memory peak.
Dec 29 22:27:08 systemd[1]: ignition-disks.service: Triggering OnFailure=dependencies.
Generating "/run/initramfs/rdsosreport.txt"
Entering emergency mode. Exit the shell to continue.
Type "journalctl" to view system logs.
You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot after mounting them and attach it to a bug report.
Press Enter for system maintenance
(or press Control-D to continue):
My rdsosreport.txt is the following : https://paste.hostux.net/?d16a8c2be6cf3e1d#J5fzDfjJmtJLQrr8VDKghiZkeDGpowd9yRZM8yAvpHnj
I can see the following error in the report:
[ 22.970163] localhost ignition[908]: disks: createLuks: op(5): [failed] Clevis bind: exit status 1: Cmd: "clevis" "luks" "bind" "-f" "-k" "/tmp/ignition-luks-1416233492" "-d" "/run/ignition/dev_aliases/dev/disk/by-partlabel/root" "tpm2" "{\"pcr_bank\":\"sha1\",\"pcr_ids\":\"7\"}" Stdout: "" Stderr: "Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.\nUnable to perform encryption with PIN 'tpm2' and config '{\"pcr_bank\":\"sha1\",\"pcr_ids\":\"7\"}'\nError adding new binding to /run/ignition/dev_aliases/dev/disk/by-partlabel/root\n"
[ 22.970275] localhost ignition[908]: Ignition failed: failed to create luks: binding clevis device: exit status 1: Cmd: "clevis" "luks" "bind" "-f" "-k" "/tmp/ignition-luks-1416233492" "-d" "/run/ignition/dev_aliases/dev/disk/by-partlabel/root" "tpm2" "{\"pcr_bank\":\"sha1\",\"pcr_ids\":\"7\"}" Stdout: "" Stderr: "Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.\nUnable to perform encryption with PIN 'tpm2' and config '{\"pcr_bank\":\"sha1\",\"pcr_ids\":\"7\"}'\nError adding new binding to /run/ignition/dev_aliases/dev/disk/by-partlabel/root\n"
[ 22.973724] localhost systemd[1]: ignition-disks.service: Main process exited, code=exited, status=1/FAILURE
Apparently, clevis binding failed.
I don’t understand why. I am using a fTPM included in a Ryzen 3 3200G, mounted on an ASUS PRIME b450m A II motherboard, that doesn’t have a discrete TPM.
My bios is correctly set to fTPM (not discrete TPM), with strict UEFI mode (CSM disabled).
When I do ls /dev in the emergency mode, I can see that /dev/tpm0 and /dev/tpmrm0 are listed, so they should be accessible for the binding.
What could be the problem?
Thanks in advance for any answer