Include fido2 and tpm2-tss into the initramfs by default

Following my FedoraMagazine article on use of systemd-cryptenroll with fido2 or tpm2 and some user feedback I’m wondering: can we include tpm2-tools in fedora by default and add the fido2 and tpm2-tss dracut modules by default?

If those modules were present in the initramfs by default anyone could just use FIDO2 or TPM2 to unlock their LUKS disks by using systemd-cryptenroll without further setup. Especially on Silverblue this would be a huge plus as currently you have to A) enable initramfs regen and B) add an overlay, which as I understand it is kinda discouraged because of the implicit rebuild effort introduced on updates

I guess this depends on the effect of adding those modules on size of the initrd. I think your best option is to check that and open a bugzilla against dracut or a pull request for the package.

1 Like