add TPM to initramfs in main/hwe?

add TPM to initramfs in main/hwe?
56 Replies
bsherman
bshermanOP•6mo ago
so
M2
M2•6mo ago
Super down
bsherman
bshermanOP•6mo ago
my suggestion is to add https://github.com/ublue-os/bazzite/blob/341941bb54ba8e3650bcf3ee82f6167edb986f53/system_files/desktop/shared/usr/lib/dracut/dracut.conf.d/90-ublue.conf to main repo... and also start doing an initramfs rebuild there to enable it this also meshes nicely with this already being in config https://github.com/ublue-os/config/tree/main/build/ublue-os-luks
M2
M2•6mo ago
Yeah
p5
p5•6mo ago
Any downsides? If not, SGTM!
bsherman
bshermanOP•6mo ago
slightly larger main images since we'll be rebuilding initramfs, but users can use them to auto-unlock luks with TPM and not require rebuilding initramfs
M2
M2•6mo ago
Also fido2 for yubikey
bsherman
bshermanOP•6mo ago
yeah i think it's a worthy trade off more i think about it
M2
M2•6mo ago
And we enable compression with zstd
bsherman
bshermanOP•6mo ago
/remind me to create this ticket later tonight
M2
M2•6mo ago
GitHub
Add Initramfs build to all images · Issue #593 · ublue-os/main
Describe the package Currently a user will have to create a local initramfs if they wish to use tpm2, fido, and pkcs11 for LUKs deceyption. Information on the package We've been building a cust...
bsherman
bshermanOP•6mo ago
GitHub
Add Initramfs build to all images · Issue #593 · ublue-os/main
Describe the package Currently a user will have to create a local initramfs if they wish to use tpm2, fido, and pkcs11 for LUKs deceyption. Information on the package We've been building a cust...
bsherman
bshermanOP•6mo ago
@M2 @Robert (p5) @j0rge any thoughts on this before I implement? @Kyle Gospo already weighed in and I think I correctly state his concern as wishing to avoid the extra ~200MB of a custom initramfs in main images ... which I agree with.
M2
M2•6mo ago
I think that what you all said is a good compromise
bsherman
bshermanOP•6mo ago
ok, cool. then i'll get this put togther and we'll have this added 🙂
j0rge
j0rge•6mo ago
+1 from me I don't care about 200mb
bsherman
bshermanOP•6mo ago
🙂
M2
M2•6mo ago
Also make sure to add the zstd compression
bsherman
bshermanOP•6mo ago
?
j0rge
j0rge•6mo ago
This has become the zstd cycle for the initramfs, I think bazzifin have that already but it wasn't a default
M2
M2•6mo ago
M2
M2•6mo ago
Bazzite and Bluefin does this to shrink it down
bsherman
bshermanOP•6mo ago
that's yet another feature 🙂
M2
M2•6mo ago
Helps make the size difference neglible
bsherman
bshermanOP•6mo ago
I may 😲 GASP add that file WITHOUT an RPM!
j0rge
j0rge•6mo ago
finally, we've broken him.
bsherman
bshermanOP•6mo ago
random, but we probably should also have Fedora release versioned config our RPMs are wrng
bsherman
bshermanOP•6mo ago
GitHub
feat: add tpm/fidopkcs11 LUKS unlock config to dracut by bsherman ·...
This enables any install to regenerate initramfs and automatically pickup these options for auto LUKS unlock on boot. Closes: ublue-os/main#593
bsherman
bshermanOP•6mo ago
GitHub
feat: set dracut zstd compression for initramfs regen by bsherman ·...
With this change any regenerated initramfs, either at runtime when configured by a user, or at build time for downstreams like hwe, bazzite, bluefin/aurora, the resulting initramfs image will be co...
bsherman
bshermanOP•6mo ago
@j0rge this is your zstd joy with main re-built with new dracut configs, i'm going to to build hwe
M2
M2•6mo ago
did you do akmods first?
bsherman
bshermanOP•6mo ago
good point i'll do akmods 😄
M2
M2•6mo ago
we need a rebuild the world button in main
bsherman
bshermanOP•6mo ago
yeah
M2
M2•6mo ago
Since we did all of this stuff today. https://github.com/ublue-os/main/pull/558
GitHub
feat: Add clevis-dracut to enable tang decryption by m2Giles · Pull...
Clevis is another scheme for supporting LUKS decryption via tpm2 and/or a network based decryption scheme. Clevis is already included in our images; however, clevis-dracut is not. We've recentl...
M2
M2•6mo ago
Should this get nuked?
bsherman
bshermanOP•6mo ago
i think what was added today is lighter than the clevis solution... so we could close this as we've addressed the primary goal a different way?
M2
M2•6mo ago
agreed I think clevis is in coreOS by default. I'm now kinda curious to look and see what's in the initramfs by default there
bsherman
bshermanOP•6mo ago
since the changes to luks/tpm scripts are related to this thread... i'm necro-ing it 🙂 anyway, i'm testing the script changes in the PR like i said i'd do... now that i have the swtpm workaround 😄
M2
M2•6mo ago
All good?
bsherman
bshermanOP•6mo ago
a couple comments these 2 comments are just informational and validating things are good and safe to operate: https://github.com/ublue-os/config/pull/302/files#r1667432410 @M2 https://github.com/ublue-os/config/pull/302/files#r1667429020 this probably should have been a "request changes" on PR... so i'll adjust a bit happy to discuss for next few minutes 🙂 But I'll be checking out pretty soon for family evening
M2
M2•6mo ago
no worries the idea with the check on a passphrase in key-slot 0 is if you have done any modifications to your keyslots we shouldn't do anything automated while I see that you confirmed that systemd-cryptenroll won't wipe the last slot, this was just some additional paranonia
bsherman
bshermanOP•6mo ago
yeah, i thought that was the case, but the script does so little EXCEPT for hand holding the addition of tpm unlock... I struggle with how we prevent the user from doing exactly what they requested.
M2
M2•6mo ago
Fair point Also, it does require a passphrase on enrollment its the wipe-slot that personally more concerns me well it requires a decryption method on enrollment
bsherman
bshermanOP•6mo ago
right that's why i did some testing on various wipe-slot scenarios
M2
M2•6mo ago
we can remove the paranoia check given your confirmation
bsherman
bshermanOP•6mo ago
the way i see it, if a user has wiped all slots EXCEPT TPM2, systemd-cryptenroll correctly prevents wiping the tpm2 slot... but... that user is already gambling on no PCR check fails...
M2
M2•6mo ago
lol so true alright I accept that argument
bsherman
bshermanOP•6mo ago
i think we could consider adding a hint if we see that "oh, my friend, you are gambling with your data, please add a recovery key ASAP" LOL but that can 100% be in a disctinct PR... this one has gotten pretty noisy and best to close it up with the nice improvements we already have
M2
M2•6mo ago
I agree. Lets remove the paranoia check and that can be added to the lists of further improvements
bsherman
bshermanOP•6mo ago
yeah, the "oops, only have a tpm2 slot" is rough... one cannot use systemd-cryptenroll to add a recover-key in that state, BUT there is that method i put in comment to add a passphrase
cryptsetup luksAddKey --token-id TPM2_ID --token-type systemd-tpm2 LUKS_DEVICE
cryptsetup luksAddKey --token-id TPM2_ID --token-type systemd-tpm2 LUKS_DEVICE
M2
M2•6mo ago
you can extract the the passphrase being used by the tpm I believe. I know I had to do that with clevis at one point when I got in a similar state but yeah... its no bueno
bsherman
bshermanOP•6mo ago
personlly, i'm happy to have spent some more time playing with the luks tools... it's good to be familiar with them
M2
M2•6mo ago
i'm out for the dat
bsherman
bshermanOP•6mo ago
cool. let me know when that change is in, we'll get it approved and merged i'm out I've approved the PR, but it needs another approver.
M2
M2•6mo ago
@j0rge @Kyle Gospo @Robert (p5) @EyeCantCU
Want results from more Discord servers?
Add your server