info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1031254: cryptsetup: unable to boot rootfs from luks via tpm (cryptsetup unknown option tpm2-device tpm2-pin)
512 views
Skip to first unread message
jj
Feb 13, 2023, 9:10:04 PM2/13/23
to
Package: cryptsetup
Version: 2:2.6.1-1
Severity: normal
X-Debbugs-Cc: redsto...@gmail.com
Dear Maintainer,
* What led up to the situation?
On system with: bookworm, 3 partitions (EFI, /boot, luks-encrypted-rootfs), 1 tpm, I am attempting to use either tpm2 or tpm2-with-pin in systemd-cryptenroll so that on book, my luks2 encrypted rootfs is able to automatically use the hardware tpm (ie. auto-unlock with just tpm or with tpm-pin). Then, update /etc/crypttab with tpm2-device=(tpm path) followed by run "update-initramfs -u" to apply changes I made to crypttab.
* Expected outcome:
No warnings output from "update-initramfs -u). Then on boot, the system automatically utilises tpm2 to auto unlock or request tpm-pin (if set tpm-with-pin=yes in cryptenroll)
* Actual outcome:
Both during output of "update-initramfs -u" AND during boot, I see the warning line: "cryptsetup: WARNING: nvme1n1p3_crypt: ignoring unknown option 'tpm2-device'" (also applies to "tpm2-pin" option). Unfortunately, on boot, as per the warning, the tpm remains unused and I am requested the other recovery key/password I have set (totally ignoring the tpm or tpm-with-pin slot within systemd-cryptenroll)
* Why do you suspect this is a bug?
According to: https://github.com/systemd/systemd/releases/tag/v251-rc1 it says "Option tpm2-pin= can be used in /etc/crypttab." However, as stated above, this is not the case (tpm-device also does not work).
Others have experienced something similar: https://askubuntu.com/questions/1370877/unlock-root-disk-with-tpm2-on-impish-indri, https://answers.launchpad.net/ubuntu/+question/702266 with the only half-solution being a third party github patch: https://github.com/wmcelderry/systemd_with_tpm2
* Anything else important?
This ONLY AFFECTS the root filesystem (rootfs). If I have another drive with its own encrypted partition, this works NORMALLY with NO errors. This means that on this system, if I add another drive, there will be no warnings from cryptsetup when running update-initramfs -u or on boot for the second drive, however, the warnings for rootfs remain (the second drive works properly with the tpm or tpm-with-pin, but rootfs does not).
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-6.1.0-3-amd64 root=/dev/mapper/VG--T-LV--T ro rootflags=subvol=@rootfs quiet
-- /etc/crypttab
nvme1n1p3_crypt UUID=58c6ddd0-4608-4ecd-b1bb-3ddf8f120cba none tpm2-device=/dev/tpmrm0,luks,discard
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/VG--T-LV--T / btrfs defaults,subvol=@rootfs 0 0
# /boot was on /dev/nvme1n1p2 during installation
UUID=8a4f6861-4780-45c2-8d1a-3c823612d577 /boot ext2 defaults 0 2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=5468-243A /boot/efi vfat umask=0077 0 1
-- lsmod
Module Size Used by
mei_hdcp 24576 1
pmt_telemetry 16384 0
pmt_class 16384 1 pmt_telemetry
intel_rapl_msr 20480 0
x86_pkg_temp_thermal 20480 0
intel_powerclamp 20480 0
coretemp 20480 0
kvm_intel 380928 0
kvm 1130496 1 kvm_intel
irqbypass 16384 1 kvm
rapl 20480 0
intel_cstate 20480 0
intel_uncore 212992 0
pcspkr 16384 0
wmi_bmof 16384 0
bnep 28672 2
qrtr 49152 4
binfmt_misc 24576 1
nls_ascii 16384 1
nls_cp437 20480 1
vfat 24576 1
fat 90112 1 vfat
snd_sof_pci_intel_tgl 16384 0
snd_sof_intel_hda_common 188416 1 snd_sof_pci_intel_tgl
soundwire_intel 49152 1 snd_sof_intel_hda_common
soundwire_generic_allocation 16384 1 soundwire_intel
soundwire_cadence 40960 1 soundwire_intel
snd_sof_intel_hda 20480 1 snd_sof_intel_hda_common
snd_sof_pci 24576 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
snd_sof_xtensa_dsp 16384 1 snd_sof_intel_hda_common
snd_sof 274432 2 snd_sof_pci,snd_sof_intel_hda_common
snd_sof_utils 20480 1 snd_sof
snd_soc_hdac_hda 24576 1 snd_sof_intel_hda_common
asus_wmi 61440 0
snd_hda_ext_core 40960 2 snd_sof_intel_hda_common,snd_soc_hdac_hda
platform_profile 16384 1 asus_wmi
snd_soc_acpi_intel_match 73728 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
sparse_keymap 16384 1 asus_wmi
ext4 978944 1
iTCO_wdt 16384 0
btusb 65536 0
intel_pmc_bxt 16384 1 iTCO_wdt
snd_soc_acpi 16384 2 snd_soc_acpi_intel_match,snd_sof_intel_hda_common
iwlwifi 360448 0
snd_soc_core 348160 4 soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_soc_hdac_hda
btrtl 28672 1 btusb
iTCO_vendor_support 16384 1 iTCO_wdt
mbcache 16384 1 ext4
btbcm 24576 1 btusb
mei_me 53248 1
watchdog 45056 1 iTCO_wdt
snd_compress 28672 1 snd_soc_core
btintel 45056 1 btusb
btmtk 16384 1 btusb
jbd2 167936 1 ext4
soundwire_bus 102400 3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence
mei 159744 2 mei_hdcp,mei_me
bluetooth 950272 13 btrtl,btmtk,btintel,btbcm,bnep,btusb
cfg80211 1122304 1 iwlwifi
uvcvideo 131072 0
videobuf2_vmalloc 20480 1 uvcvideo
videobuf2_memops 20480 1 videobuf2_vmalloc
snd_hda_codec_realtek 167936 1
videobuf2_v4l2 36864 1 uvcvideo
videobuf2_common 73728 4 videobuf2_vmalloc,videobuf2_v4l2,uvcvideo,videobuf2_memops
snd_hda_codec_generic 98304 1 snd_hda_codec_realtek
ledtrig_audio 16384 2 snd_hda_codec_generic,asus_wmi
videodev 294912 3 videobuf2_v4l2,uvcvideo,videobuf2_common
jitterentropy_rng 16384 1
snd_hda_codec_hdmi 81920 3
drbg 45056 1
mc 77824 4 videodev,videobuf2_v4l2,uvcvideo,videobuf2_common
ansi_cprng 16384 0
ecdh_generic 16384 1 bluetooth
rfkill 36864 8 asus_wmi,bluetooth,cfg80211
ecc 40960 1 ecdh_generic
crc16 16384 2 bluetooth,ext4
snd_hda_intel 57344 5
snd_intel_dspcfg 36864 3 snd_hda_intel,snd_sof,snd_sof_intel_hda_common
snd_intel_sdw_acpi 20480 2 snd_sof_intel_hda_common,snd_intel_dspcfg
snd_hda_codec 184320 6 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek,snd_soc_hdac_hda,snd_sof_intel_hda
intel_vsec 20480 0
snd_hda_core 122880 9 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_ext_core,snd_hda_codec,snd_hda_codec_realtek,snd_sof_intel_hda_common,snd_soc_hdac_hda,snd_sof_intel_hda
snd_hwdep 16384 1 snd_hda_codec
snd_pcm 159744 11 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_compress,snd_soc_core,snd_sof_utils,snd_hda_core
snd_timer 49152 1 snd_pcm
processor_thermal_device_pci 16384 0
processor_thermal_device 20480 1 processor_thermal_device_pci
processor_thermal_rfim 16384 1 processor_thermal_device
snd 126976 20 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_sof,snd_timer,snd_compress,snd_soc_core,snd_pcm
processor_thermal_mbox 16384 2 processor_thermal_rfim,processor_thermal_device
processor_thermal_rapl 20480 1 processor_thermal_device
intel_rapl_common 32768 2 intel_rapl_msr,processor_thermal_rapl
soundcore 16384 1 snd
ac 20480 0
int3400_thermal 20480 0
acpi_thermal_rel 16384 1 int3400_thermal
intel_pmc_core 53248 0
acpi_tad 20480 0
acpi_pad 184320 0
acpi_als 20480 2
industrialio_triggered_buffer 16384 1 acpi_als
kfifo_buf 16384 1 industrialio_triggered_buffer
cdc_mbim 20480 0
sg 40960 0
int3403_thermal 20480 0
industrialio 110592 3 industrialio_triggered_buffer,acpi_als,kfifo_buf
hid_multitouch 32768 0
joydev 28672 0
int340x_thermal_zone 20480 2 int3403_thermal,processor_thermal_device
cdc_wdm 32768 1 cdc_mbim
serio_raw 20480 0
evdev 28672 28
msr 16384 0
parport_pc 40960 0
ppdev 24576 0
lp 20480 0
parport 73728 3 parport_pc,lp,ppdev
fuse 176128 3
efi_pstore 16384 0
configfs 57344 1
efivarfs 24576 1
ip_tables 36864 0
x_tables 61440 1 ip_tables
autofs4 53248 2
btrfs 1773568 1
blake2b_generic 20480 0
xor 24576 1 btrfs
raid6_pq 122880 1 btrfs
zstd_compress 294912 1 btrfs
libcrc32c 16384 1 btrfs
crc32c_generic 16384 0
sd_mod 65536 0
dm_crypt 61440 1
dm_mod 184320 6 dm_crypt
uas 32768 0
usb_storage 81920 1 uas
scsi_mod 282624 4 sd_mod,usb_storage,uas,sg
scsi_common 16384 4 scsi_mod,usb_storage,uas,sg
cdc_ncm 45056 1 cdc_mbim
cdc_ether 24576 1 cdc_ncm
usbnet 57344 3 cdc_mbim,cdc_ncm,cdc_ether
mii 16384 1 usbnet
usbhid 65536 0
hid_generic 16384 0
i915 3330048 4
nouveau 2449408 1
nvme 53248 3
drm_buddy 20480 1 i915
mxm_wmi 16384 1 nouveau
i2c_algo_bit 16384 2 i915,nouveau
crc32_pclmul 16384 0
xhci_pci 24576 0
nvme_core 159744 4 nvme
crc32c_intel 24576 3
drm_display_helper 212992 2 i915,nouveau
xhci_hcd 315392 1 xhci_pci
t10_pi 16384 2 sd_mod,nvme_core
cec 61440 2 drm_display_helper,i915
ghash_clmulni_intel 16384 0
rc_core 69632 1 cec
crc64_rocksoft_generic 16384 1
drm_ttm_helper 16384 1 nouveau
crc64_rocksoft 20480 1 t10_pi
ttm 94208 3 drm_ttm_helper,i915,nouveau
crc_t10dif 20480 1 t10_pi
sha512_ssse3 49152 1
i2c_hid_acpi 16384 0
crct10dif_generic 16384 0
usbcore 344064 12 xhci_hcd,usbnet,usbhid,cdc_mbim,cdc_ncm,usb_storage,cdc_wdm,uvcvideo,btusb,xhci_pci,cdc_ether,uas
drm_kms_helper 229376 3 drm_display_helper,i915,nouveau
i2c_hid 32768 1 i2c_hid_acpi
intel_lpss_pci 28672 0
crct10dif_pclmul 16384 1
i2c_i801 36864 0
sha512_generic 16384 1 sha512_ssse3
intel_lpss 16384 1 intel_lpss_pci
crc64 20480 2 crc64_rocksoft,crc64_rocksoft_generic
aesni_intel 393216 2
drm 663552 9 drm_kms_helper,drm_display_helper,drm_buddy,drm_ttm_helper,i915,ttm,nouveau
psmouse 184320 0
crypto_simd 16384 1 aesni_intel
cryptd 28672 3 crypto_simd,ghash_clmulni_intel
thunderbolt 376832 0
i2c_smbus 20480 1 i2c_i801
hid 155648 4 i2c_hid,usbhid,hid_multitouch,hid_generic
idma64 20480 0
usb_common 16384 3 xhci_hcd,usbcore,uvcvideo
crct10dif_common 16384 3 crct10dif_generic,crc_t10dif,crct10dif_pclmul
fan 20480 0
video 65536 3 asus_wmi,i915,nouveau
battery 28672 1 asus_wmi
wmi 36864 5 video,asus_wmi,wmi_bmof,mxm_wmi,nouveau
button 24576 1 nouveau
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-3-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_DIE, TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:2.6.1-1
ii debconf [debconf-2.0] 1.5.82
ii dmsetup 2:1.02.185-2
ii libc6 2.36-8
cryptsetup recommends no packages.
Versions of packages cryptsetup suggests:
ii cryptsetup-initramfs 2:2.6.1-1
ii dosfstools 4.2-1
pn keyutils <none>
ii liblocale-gettext-perl 1.07-5
-- debconf information:
cryptsetup/prerm_active_mappings: true
Version: 2:2.6.1-1
Severity: normal
X-Debbugs-Cc: redsto...@gmail.com
Dear Maintainer,
* What led up to the situation?
On system with: bookworm, 3 partitions (EFI, /boot, luks-encrypted-rootfs), 1 tpm, I am attempting to use either tpm2 or tpm2-with-pin in systemd-cryptenroll so that on book, my luks2 encrypted rootfs is able to automatically use the hardware tpm (ie. auto-unlock with just tpm or with tpm-pin). Then, update /etc/crypttab with tpm2-device=(tpm path) followed by run "update-initramfs -u" to apply changes I made to crypttab.
* Expected outcome:
No warnings output from "update-initramfs -u). Then on boot, the system automatically utilises tpm2 to auto unlock or request tpm-pin (if set tpm-with-pin=yes in cryptenroll)
* Actual outcome:
Both during output of "update-initramfs -u" AND during boot, I see the warning line: "cryptsetup: WARNING: nvme1n1p3_crypt: ignoring unknown option 'tpm2-device'" (also applies to "tpm2-pin" option). Unfortunately, on boot, as per the warning, the tpm remains unused and I am requested the other recovery key/password I have set (totally ignoring the tpm or tpm-with-pin slot within systemd-cryptenroll)
* Why do you suspect this is a bug?
According to: https://github.com/systemd/systemd/releases/tag/v251-rc1 it says "Option tpm2-pin= can be used in /etc/crypttab." However, as stated above, this is not the case (tpm-device also does not work).
Others have experienced something similar: https://askubuntu.com/questions/1370877/unlock-root-disk-with-tpm2-on-impish-indri, https://answers.launchpad.net/ubuntu/+question/702266 with the only half-solution being a third party github patch: https://github.com/wmcelderry/systemd_with_tpm2
* Anything else important?
This ONLY AFFECTS the root filesystem (rootfs). If I have another drive with its own encrypted partition, this works NORMALLY with NO errors. This means that on this system, if I add another drive, there will be no warnings from cryptsetup when running update-initramfs -u or on boot for the second drive, however, the warnings for rootfs remain (the second drive works properly with the tpm or tpm-with-pin, but rootfs does not).
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-6.1.0-3-amd64 root=/dev/mapper/VG--T-LV--T ro rootflags=subvol=@rootfs quiet
-- /etc/crypttab
nvme1n1p3_crypt UUID=58c6ddd0-4608-4ecd-b1bb-3ddf8f120cba none tpm2-device=/dev/tpmrm0,luks,discard
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/VG--T-LV--T / btrfs defaults,subvol=@rootfs 0 0
# /boot was on /dev/nvme1n1p2 during installation
UUID=8a4f6861-4780-45c2-8d1a-3c823612d577 /boot ext2 defaults 0 2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=5468-243A /boot/efi vfat umask=0077 0 1
-- lsmod
Module Size Used by
mei_hdcp 24576 1
pmt_telemetry 16384 0
pmt_class 16384 1 pmt_telemetry
intel_rapl_msr 20480 0
x86_pkg_temp_thermal 20480 0
intel_powerclamp 20480 0
coretemp 20480 0
kvm_intel 380928 0
kvm 1130496 1 kvm_intel
irqbypass 16384 1 kvm
rapl 20480 0
intel_cstate 20480 0
intel_uncore 212992 0
pcspkr 16384 0
wmi_bmof 16384 0
bnep 28672 2
qrtr 49152 4
binfmt_misc 24576 1
nls_ascii 16384 1
nls_cp437 20480 1
vfat 24576 1
fat 90112 1 vfat
snd_sof_pci_intel_tgl 16384 0
snd_sof_intel_hda_common 188416 1 snd_sof_pci_intel_tgl
soundwire_intel 49152 1 snd_sof_intel_hda_common
soundwire_generic_allocation 16384 1 soundwire_intel
soundwire_cadence 40960 1 soundwire_intel
snd_sof_intel_hda 20480 1 snd_sof_intel_hda_common
snd_sof_pci 24576 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
snd_sof_xtensa_dsp 16384 1 snd_sof_intel_hda_common
snd_sof 274432 2 snd_sof_pci,snd_sof_intel_hda_common
snd_sof_utils 20480 1 snd_sof
snd_soc_hdac_hda 24576 1 snd_sof_intel_hda_common
asus_wmi 61440 0
snd_hda_ext_core 40960 2 snd_sof_intel_hda_common,snd_soc_hdac_hda
platform_profile 16384 1 asus_wmi
snd_soc_acpi_intel_match 73728 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
sparse_keymap 16384 1 asus_wmi
ext4 978944 1
iTCO_wdt 16384 0
btusb 65536 0
intel_pmc_bxt 16384 1 iTCO_wdt
snd_soc_acpi 16384 2 snd_soc_acpi_intel_match,snd_sof_intel_hda_common
iwlwifi 360448 0
snd_soc_core 348160 4 soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_soc_hdac_hda
btrtl 28672 1 btusb
iTCO_vendor_support 16384 1 iTCO_wdt
mbcache 16384 1 ext4
btbcm 24576 1 btusb
mei_me 53248 1
watchdog 45056 1 iTCO_wdt
snd_compress 28672 1 snd_soc_core
btintel 45056 1 btusb
btmtk 16384 1 btusb
jbd2 167936 1 ext4
soundwire_bus 102400 3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence
mei 159744 2 mei_hdcp,mei_me
bluetooth 950272 13 btrtl,btmtk,btintel,btbcm,bnep,btusb
cfg80211 1122304 1 iwlwifi
uvcvideo 131072 0
videobuf2_vmalloc 20480 1 uvcvideo
videobuf2_memops 20480 1 videobuf2_vmalloc
snd_hda_codec_realtek 167936 1
videobuf2_v4l2 36864 1 uvcvideo
videobuf2_common 73728 4 videobuf2_vmalloc,videobuf2_v4l2,uvcvideo,videobuf2_memops
snd_hda_codec_generic 98304 1 snd_hda_codec_realtek
ledtrig_audio 16384 2 snd_hda_codec_generic,asus_wmi
videodev 294912 3 videobuf2_v4l2,uvcvideo,videobuf2_common
jitterentropy_rng 16384 1
snd_hda_codec_hdmi 81920 3
drbg 45056 1
mc 77824 4 videodev,videobuf2_v4l2,uvcvideo,videobuf2_common
ansi_cprng 16384 0
ecdh_generic 16384 1 bluetooth
rfkill 36864 8 asus_wmi,bluetooth,cfg80211
ecc 40960 1 ecdh_generic
crc16 16384 2 bluetooth,ext4
snd_hda_intel 57344 5
snd_intel_dspcfg 36864 3 snd_hda_intel,snd_sof,snd_sof_intel_hda_common
snd_intel_sdw_acpi 20480 2 snd_sof_intel_hda_common,snd_intel_dspcfg
snd_hda_codec 184320 6 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek,snd_soc_hdac_hda,snd_sof_intel_hda
intel_vsec 20480 0
snd_hda_core 122880 9 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_ext_core,snd_hda_codec,snd_hda_codec_realtek,snd_sof_intel_hda_common,snd_soc_hdac_hda,snd_sof_intel_hda
snd_hwdep 16384 1 snd_hda_codec
snd_pcm 159744 11 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_compress,snd_soc_core,snd_sof_utils,snd_hda_core
snd_timer 49152 1 snd_pcm
processor_thermal_device_pci 16384 0
processor_thermal_device 20480 1 processor_thermal_device_pci
processor_thermal_rfim 16384 1 processor_thermal_device
snd 126976 20 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_sof,snd_timer,snd_compress,snd_soc_core,snd_pcm
processor_thermal_mbox 16384 2 processor_thermal_rfim,processor_thermal_device
processor_thermal_rapl 20480 1 processor_thermal_device
intel_rapl_common 32768 2 intel_rapl_msr,processor_thermal_rapl
soundcore 16384 1 snd
ac 20480 0
int3400_thermal 20480 0
acpi_thermal_rel 16384 1 int3400_thermal
intel_pmc_core 53248 0
acpi_tad 20480 0
acpi_pad 184320 0
acpi_als 20480 2
industrialio_triggered_buffer 16384 1 acpi_als
kfifo_buf 16384 1 industrialio_triggered_buffer
cdc_mbim 20480 0
sg 40960 0
int3403_thermal 20480 0
industrialio 110592 3 industrialio_triggered_buffer,acpi_als,kfifo_buf
hid_multitouch 32768 0
joydev 28672 0
int340x_thermal_zone 20480 2 int3403_thermal,processor_thermal_device
cdc_wdm 32768 1 cdc_mbim
serio_raw 20480 0
evdev 28672 28
msr 16384 0
parport_pc 40960 0
ppdev 24576 0
lp 20480 0
parport 73728 3 parport_pc,lp,ppdev
fuse 176128 3
efi_pstore 16384 0
configfs 57344 1
efivarfs 24576 1
ip_tables 36864 0
x_tables 61440 1 ip_tables
autofs4 53248 2
btrfs 1773568 1
blake2b_generic 20480 0
xor 24576 1 btrfs
raid6_pq 122880 1 btrfs
zstd_compress 294912 1 btrfs
libcrc32c 16384 1 btrfs
crc32c_generic 16384 0
sd_mod 65536 0
dm_crypt 61440 1
dm_mod 184320 6 dm_crypt
uas 32768 0
usb_storage 81920 1 uas
scsi_mod 282624 4 sd_mod,usb_storage,uas,sg
scsi_common 16384 4 scsi_mod,usb_storage,uas,sg
cdc_ncm 45056 1 cdc_mbim
cdc_ether 24576 1 cdc_ncm
usbnet 57344 3 cdc_mbim,cdc_ncm,cdc_ether
mii 16384 1 usbnet
usbhid 65536 0
hid_generic 16384 0
i915 3330048 4
nouveau 2449408 1
nvme 53248 3
drm_buddy 20480 1 i915
mxm_wmi 16384 1 nouveau
i2c_algo_bit 16384 2 i915,nouveau
crc32_pclmul 16384 0
xhci_pci 24576 0
nvme_core 159744 4 nvme
crc32c_intel 24576 3
drm_display_helper 212992 2 i915,nouveau
xhci_hcd 315392 1 xhci_pci
t10_pi 16384 2 sd_mod,nvme_core
cec 61440 2 drm_display_helper,i915
ghash_clmulni_intel 16384 0
rc_core 69632 1 cec
crc64_rocksoft_generic 16384 1
drm_ttm_helper 16384 1 nouveau
crc64_rocksoft 20480 1 t10_pi
ttm 94208 3 drm_ttm_helper,i915,nouveau
crc_t10dif 20480 1 t10_pi
sha512_ssse3 49152 1
i2c_hid_acpi 16384 0
crct10dif_generic 16384 0
usbcore 344064 12 xhci_hcd,usbnet,usbhid,cdc_mbim,cdc_ncm,usb_storage,cdc_wdm,uvcvideo,btusb,xhci_pci,cdc_ether,uas
drm_kms_helper 229376 3 drm_display_helper,i915,nouveau
i2c_hid 32768 1 i2c_hid_acpi
intel_lpss_pci 28672 0
crct10dif_pclmul 16384 1
i2c_i801 36864 0
sha512_generic 16384 1 sha512_ssse3
intel_lpss 16384 1 intel_lpss_pci
crc64 20480 2 crc64_rocksoft,crc64_rocksoft_generic
aesni_intel 393216 2
drm 663552 9 drm_kms_helper,drm_display_helper,drm_buddy,drm_ttm_helper,i915,ttm,nouveau
psmouse 184320 0
crypto_simd 16384 1 aesni_intel
cryptd 28672 3 crypto_simd,ghash_clmulni_intel
thunderbolt 376832 0
i2c_smbus 20480 1 i2c_i801
hid 155648 4 i2c_hid,usbhid,hid_multitouch,hid_generic
idma64 20480 0
usb_common 16384 3 xhci_hcd,usbcore,uvcvideo
crct10dif_common 16384 3 crct10dif_generic,crc_t10dif,crct10dif_pclmul
fan 20480 0
video 65536 3 asus_wmi,i915,nouveau
battery 28672 1 asus_wmi
wmi 36864 5 video,asus_wmi,wmi_bmof,mxm_wmi,nouveau
button 24576 1 nouveau
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-3-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_DIE, TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:2.6.1-1
ii debconf [debconf-2.0] 1.5.82
ii dmsetup 2:1.02.185-2
ii libc6 2.36-8
cryptsetup recommends no packages.
Versions of packages cryptsetup suggests:
ii cryptsetup-initramfs 2:2.6.1-1
ii dosfstools 4.2-1
pn keyutils <none>
ii liblocale-gettext-perl 1.07-5
-- debconf information:
cryptsetup/prerm_active_mappings: true
Wilhelm Greiner
Feb 15, 2023, 6:20:03 AM2/15/23
to
Hi,
we also run into that bug on with cryptsetup 2:2.3.7-1+deb11u1 (debian
11 with backported packages cryptsetup+libs)
With this Bug encrypting Disks with key in tpm (a documented Feature) is
completely broken,
so it should be classified as bug.
Has anyone a workaround for that?
WG
we also run into that bug on with cryptsetup 2:2.3.7-1+deb11u1 (debian
11 with backported packages cryptsetup+libs)
With this Bug encrypting Disks with key in tpm (a documented Feature) is
completely broken,
so it should be classified as bug.
Has anyone a workaround for that?
WG
Guilhem Moulin
Feb 15, 2023, 6:33:00 AM2/15/23
to
On Wed, 15 Feb 2023 at 11:42:38 +0100, Wilhelm Greiner wrote:
> With this Bug encrypting Disks with key in tpm (a documented Feature) is
> completely broken, so it should be classified as bug.
This is documented in systemd not src:cryptsetup. systemd is not
> With this Bug encrypting Disks with key in tpm (a documented Feature) is
> completely broken, so it should be classified as bug.
involved at early boot stage, at when least the initramfs image is build
with initramfs-tools (Debian's current default). See crypttab(5).
--
Guilhem.
Redstone Ore
Feb 18, 2023, 8:10:08 PM2/18/23
to
Could you elaborate more on why this occurs and are there any ways to avoid this issue?
I’ve looked at crypttab man page but couldn’t find relevant information.
(I’m new to Linux, so I don’t know too much)
Redstone Ore
Feb 28, 2023, 8:40:04 AM2/28/23
to
In addition to my previous question: Is there a best-guess approximate time when this issue will be resolved? (Bookworm?)
Appreciate all the help,
JJ
Lars Silvén
Apr 2, 2023, 7:10:04 AM4/2/23
to
Hi,
I got it working with a fix I found and modified from a Ubuntu version
to work also for Debian testing:
https://github.com/larssilven/systemd_with_tpm2
Cheers,
Lars
I got it working with a fix I found and modified from a Ubuntu version
to work also for Debian testing:
https://github.com/larssilven/systemd_with_tpm2
Cheers,
Lars
0 new messages