56 Replies
so
Super down
my suggestion is to add https://github.com/ublue-os/bazzite/blob/341941bb54ba8e3650bcf3ee82f6167edb986f53/system_files/desktop/shared/usr/lib/dracut/dracut.conf.d/90-ublue.conf to main repo...
and also start doing an initramfs rebuild there to enable it
this also meshes nicely with this already being in config
https://github.com/ublue-os/config/tree/main/build/ublue-os-luks
Yeah
Any downsides? If not, SGTM!
slightly larger main images since we'll be rebuilding initramfs, but users can use them to auto-unlock luks with TPM and not require rebuilding initramfs
Also fido2 for yubikey
yeah
i think it's a worthy trade off more i think about it
And we enable compression with zstd
/remind me to create this ticket later tonight
GitHub
Add Initramfs build to all images · Issue #593 · ublue-os/main
Describe the package Currently a user will have to create a local initramfs if they wish to use tpm2, fido, and pkcs11 for LUKs deceyption. Information on the package We've been building a cust...
i added a comment with thoughts here: https://github.com/ublue-os/main/issues/593#issuecomment-2197879686
GitHub
Add Initramfs build to all images · Issue #593 · ublue-os/main
Describe the package Currently a user will have to create a local initramfs if they wish to use tpm2, fido, and pkcs11 for LUKs deceyption. Information on the package We've been building a cust...
@M2 @Robert (p5) @j0rge any thoughts on this before I implement?
@Kyle Gospo already weighed in and I think I correctly state his concern as wishing to avoid the extra ~200MB of a custom initramfs in main images ... which I agree with.
I think that what you all said is a good compromise
ok, cool. then i'll get this put togther and we'll have this added 🙂
+1 from me I don't care about 200mb
🙂
Also make sure to add the zstd compression
?
This has become the zstd cycle
for the initramfs, I think bazzifin have that already but it wasn't a default
GitHub
bluefin/system_files/shared/usr/lib/dracut/dracut.conf.d/10-compres...
The next generation Linux workstation, designed for reliability, performance, and sustainability. - ublue-os/bluefin
Bazzite and Bluefin does this to shrink it down
that's yet another feature 🙂
Helps make the size difference neglible
I may 😲 GASP add that file WITHOUT an RPM!
finally, we've broken him.
random, but we probably should also have Fedora release versioned config
our RPMs are wrng
GitHub
feat: add tpm/fidopkcs11 LUKS unlock config to dracut by bsherman ·...
This enables any install to regenerate initramfs and automatically pickup these options for auto LUKS unlock on boot.
Closes: ublue-os/main#593
GitHub
feat: set dracut zstd compression for initramfs regen by bsherman ·...
With this change any regenerated initramfs, either at runtime when configured by a user, or at build time for downstreams like hwe, bazzite, bluefin/aurora, the resulting initramfs image will be co...
@j0rge this is your zstd joy
with main re-built with new dracut configs, i'm going to to build hwe
did you do akmods first?
good point
i'll do akmods 😄
we need a rebuild the world button in main
yeah
Since we did all of this stuff today.
https://github.com/ublue-os/main/pull/558
GitHub
feat: Add clevis-dracut to enable tang decryption by m2Giles · Pull...
Clevis is another scheme for supporting LUKS decryption via tpm2 and/or a network based decryption scheme. Clevis is already included in our images; however, clevis-dracut is not. We've recentl...
Should this get nuked?
i think what was added today is lighter than the clevis solution... so we could close this as we've addressed the primary goal a different way?
agreed
I think clevis is in coreOS by default.
I'm now kinda curious to look and see what's in the initramfs by default there
since the changes to luks/tpm scripts are related to this thread... i'm necro-ing it 🙂
anyway, i'm testing the script changes in the PR like i said i'd do... now that i have the swtpm workaround 😄
All good?
a couple comments
these 2 comments are just informational and validating things are good and safe to operate: https://github.com/ublue-os/config/pull/302/files#r1667432410
@M2 https://github.com/ublue-os/config/pull/302/files#r1667429020 this probably should have been a "request changes" on PR... so i'll adjust a bit
happy to discuss for next few minutes 🙂
But I'll be checking out pretty soon for family evening
no worries
the idea with the check on a passphrase in key-slot 0 is if you have done any modifications to your keyslots we shouldn't do anything automated
while I see that you confirmed that systemd-cryptenroll won't wipe the last slot, this was just some additional paranonia
yeah, i thought that was the case, but the script does so little EXCEPT for hand holding the addition of tpm unlock... I struggle with how we prevent the user from doing exactly what they requested.
Fair point
Also, it does require a passphrase on enrollment
its the wipe-slot that personally more concerns me
well it requires a decryption method on enrollment
right that's why i did some testing on various wipe-slot scenarios
we can remove the paranoia check given your confirmation
the way i see it, if a user has wiped all slots EXCEPT TPM2, systemd-cryptenroll correctly prevents wiping the tpm2 slot... but... that user is already gambling on no PCR check fails...
lol
so true
alright I accept that argument
i think we could consider adding a hint if we see that "oh, my friend, you are gambling with your data, please add a recovery key ASAP" LOL
but that can 100% be in a disctinct PR... this one has gotten pretty noisy and best to close it up with the nice improvements we already have
I agree. Lets remove the paranoia check and that can be added to the lists of further improvements
yeah, the "oops, only have a tpm2 slot" is rough... one cannot use systemd-cryptenroll to add a recover-key in that state, BUT there is that method i put in comment to add a passphrase
you can extract the the passphrase being used by the tpm I believe. I know I had to do that with clevis at one point when I got in a similar state
but yeah... its no bueno
personlly, i'm happy to have spent some more time playing with the luks tools... it's good to be familiar with them
i'm out for the dat
cool. let me know when that change is in, we'll get it approved and merged
i'm out
I've approved the PR, but it needs another approver.
@j0rge @Kyle Gospo @Robert (p5) @EyeCantCU