booster: Unable to unlock root partition with tpm2 key

booster 0.11, both with and without universal:true. Dmesg and luksdump

Main part of the log is

[    4.730062] booster: no tpm devices found after 3 seconds.
[    5.048481] booster: recovering systemd-tpm2 token #0 failed: clevis.go/tpm2: unable to load data: parameter 1, error code 0x1f : integrity check failed

Not sure why booster doesn’t see tpm2, dracut works just fine with this setup.

About this issue

Original URL
State: open
Created a year ago
Reactions: 1
Comments: 17 (7 by maintainers)

Commits related to this issue

systemd-tpm2: handle tpm2_srk LUKS metadata key Closes #233 — committed to anatol/booster by anatol 8 months ago

Most upvoted comments

Bisecting points me to c1b666775e9ac2bad4246078c8904c6a20976842

My assumption as tpm modules are built-in into the kernel in archlinux packages, booster doesn’t stand a chance to capture associated udev event as tpm devices initialized even before booster enters it’s main method. So we should check presence of /dev/tpmrm0 and don’t use waiters if tpm already here.

Something like that:

--- a/init/udev.go
+++ b/init/udev.go
@@ -2,6 +2,9 @@ package main
 
 import (
 	"fmt"
+	"github.com/google/go-tpm/legacy/tpm2"
+	"io"
+	"net"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -73,8 +76,19 @@ var (
 )
 
 func udevListener() error {
-	// Initialize tpmReadyWg
-	tpmReadyWg.Add(1)
+	var dev io.ReadWriteCloser
+
+	if enableSwEmulator {
+		dev, _ = net.Dial("tcp", ":2321") // swtpm emulator is listening at port 2321
+	} else {
+		dev, _ = tpm2.OpenTPM("/dev/tpmrm0")
+	}
+	if dev != nil {
+		dev.Close()
+	} else {
+		// Initialize tpmReadyWg
+		tpmReadyWg.Add(1)
+	}
 
 	udevConn = new(netlink.UEventConn)
 	if err := udevConn.Connect(netlink.KernelEvent); err != nil {

It fixes no tpm devices found, but I still have no luck of unlocking partition…

Prototik on Jul 30, 2023