I've tested systemd 249.11-0ubuntu3.3 from jammy-proposed, all looking good!
$ apt list systemd
Listing... Done
systemd/jammy-proposed,now 249.11-0ubuntu3.3 amd64 [installed]
# 1: only "libssl3" is added as a binary dependency (as expected) plus some new
"Suggests":
$ apt-cache depends systemd > new
$ git diff --no-index old new
diff --git a/old b/new
index 3b38cbb..cd28c0c 100644
--- a/old
+++ b/new
@@ -21,6 +21,7 @@ systemd
Depends: libmount1
Depends: libpam0g
Depends: libseccomp2
+ Depends: libssl3
Depends: libsystemd0
Depends: util-linux
Depends: mount
@@ -44,5 +45,9 @@ systemd
openntpd
systemd-timesyncd
Suggests: systemd-container
+ Suggests: libfido2-1
+ Suggests: libtss2-esys-3.0.2-0
+ Suggests: libtss2-mu0
+ Suggests: libtss2-rc0
Suggests: policykit-1
# 2: systemd-cryptenroll does not crash due to undefined symbols:
$ systemd-cryptenroll --help
systemd-cryptenroll [OPTIONS...] BLOCK-DEVICE
Enroll a security token or authentication credential to a LUKS volume.
-h --help Show this help
--version Show package version
--password Enroll a user-supplied password
--recovery-key Enroll a recovery key
--pkcs11-token-uri=URI
Specify PKCS#11 security token URI
--fido2-device=PATH
Enroll a FIDO2-HMAC security token
--fido2-with-client-pin=BOOL
Whether to require entering a PIN to unlock the volume
--fido2-with-user-presence=BOOL
Whether to require user presence to unlock the volume
--fido2-with-user-verification=BOOL
Whether to require user verification to unlock the volume
--tpm2-device=PATH
Enroll a TPM2 device
--tpm2-pcrs=PCR1+PCR2+PCR3+…
Specify TPM2 PCRs to seal against
--wipe-slot=SLOT1,SLOT2,…
Wipe specified slots
See the systemd-cryptenroll(1) man page for details.
$ echo $?
0
# initial setup
$ dd if=/dev/zero of=encrypted.img bs=1 count=0 seek=100M
0+0 Datensätze ein
0+0 Datensätze aus
0 Bytes kopiert, 0,000629802 s, 0,0 kB/s
$ echo -n "s0s3cur3" | cryptsetup luksFormat encrypted.img -
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: ********
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo mkfs.ext4 /dev/mapper/volume
mke2fs 1.46.5 (30-Dec-2021)
Ein Dateisystem mit 21504 (4k) Blöcken und 21504 Inodes wird erzeugt.
beim Anfordern von Speicher für die Gruppentabellen: erledigt
Inode-Tabellen werden geschrieben: erledigt
Das Journal (1024 Blöcke) wird angelegt: fertig
Die Superblöcke und die Informationen über die Dateisystemnutzung werden
geschrieben: erledigt
$ sudo mount /dev/mapper/volume /mnt
$ sudo touch /mnt/TPM_TEST
$ ls -la /mnt
insgesamt 24
drwxr-xr-x 3 root root 4096 Jun 13 10:56 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
drwx------ 2 root root 16384 Jun 13 10:56 lost+found
-rw-r--r-- 1 root root 0 Jun 13 10:56 TPM_TEST
$ sudo umount /dev/mapper/volume
$ sudo cryptsetup luksClose volume
$ ls -la /mnt # empty
insgesamt 8
drwxr-xr-x 2 root root 4096 Mai 7 2021 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
#3 non-TPM use case:
$ systemd-cryptenroll --password encrypted.img
🔐 Please enter current passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: ********
🔐 Please enter new passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: ********
🔐 Please enter new passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img (repeat): ********
New password enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: ********
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo cryptsetup luksClose volume
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.
$ systemd-cryptenroll --recovery-key encrypted.img
🔐 Please enter current passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: ********
A secret recovery key has been generated for this volume:
🔐 fcjbduir-fdvfukdd-cfkdbnbv-ecnlbtnv-ibugtrkb-rgntjrln-ejvljbdb-
kilkiuti
Please save this secret recovery key at a secure location. It may be used to
regain access to the volume if the other configured access credentials have
been lost or forgotten. The recovery key may be entered in place of a password
whenever authentication is requested.
New recovery key enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume:
***********************************************************************
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.
#4 FIDO use case:
$ systemd-cryptenroll --fido2-device=list
PATH MANUFACTURER PRODUCT
/dev/hidraw5 Yubico YubiKey OTP+FIDO+CCID
$ systemd-cryptenroll --fido2-device=auto encrypted.img
🔐 Please enter current passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: ********
Requested to lock with PIN, but FIDO2 device /dev/hidraw5 does not support it,
disabling.
Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
Generating secret key on FIDO2 security token.
👆 In order to allow secret key generation, please confirm presence on security
token.
New FIDO2 token enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img -
fido2-device=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
Automatically discovered security FIDO2 token unlocks volume.
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.
#5 TPM use case:
$ systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_tis
$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 encrypted.img
New TPM2 token enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img -
tpm2-device=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
Automatically discovered security TPM2 token unlocks volume.
$ sudo mount /dev/mapper/volume /mnt
$ ls -la /mnt
insgesamt 24
drwxr-xr-x 3 root root 4096 Jun 13 10:56 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
drwx------ 2 root root 16384 Jun 13 10:56 lost+found
-rw-r--r-- 1 root root 0 Jun 13 10:56 TPM_TEST
$ sudo umount /dev/mapper/volume
$ sudo cryptsetup luksClose volume
$ ls -la /mnt # empty
insgesamt 8
drwxr-xr-x 2 root root 4096 Mai 7 2021 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
$ sudo rm encrypted.img
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1969375
Title:
systemd-cryptenroll does not support TPM2 devices
Status in systemd package in Ubuntu:
In Progress
Status in systemd source package in Jammy:
Fix Committed
Status in systemd source package in Kinetic:
In Progress
Bug description:
[Impact]
* TPM2/FIDO cannot be used to unlock luks encrpyted block devices
* due to missing build-time support in systemd
* Error message: "TPM2 not supported on this build."
[Test Plan]
# 1: check no new binary deps have been introduced to the systemd package,
other than "libssl3", which is already installed by default.
# Compare to this version of systemd 249.11-0ubuntu3.1:
$ apt-cache depends systemd
systemd
PreDepends: libblkid1
PreDepends: libc6
PreDepends: libcap2
PreDepends: libgcrypt20
PreDepends: liblz4-1
PreDepends: liblzma5
PreDepends: libselinux1
PreDepends: libzstd1
Depends: libacl1
Depends: libapparmor1
Depends: libaudit1
Depends: libcrypt1
Depends: libcryptsetup12
Depends: libgnutls30
Depends: libgpg-error0
Depends: libip4tc2
Depends: libkmod2
Depends: liblz4-1
Depends: libmount1
Depends: libpam0g
Depends: libseccomp2
Depends: libsystemd0
Depends: util-linux
Depends: mount
Depends: adduser
Conflicts: <consolekit>
Conflicts: <libpam-ck-connector>
Conflicts: <systemd-shim>
Breaks: resolvconf
Breaks: udev
|Recommends: <default-dbus-system-bus>
dbus
Recommends: <dbus-system-bus>
dbus-broker
dbus
Recommends: networkd-dispatcher
|Recommends: systemd-timesyncd
Recommends: <time-daemon>
chrony
ntp
ntpsec
openntpd
systemd-timesyncd
Suggests: systemd-container
Suggests: policykit-1
# 2: check that systemd-cryptenroll doesn't have any undefined symbols that
prevent it from running:
$ systemd-cryptenroll --help # this should not crash
systemd-cryptenroll [OPTIONS...] BLOCK-DEVICE
Enroll a security token or authentication credential to a LUKS volume.
-h --help Show this help
--version Show package version
--password Enroll a user-supplied password
--recovery-key Enroll a recovery key
--pkcs11-token-uri=URI
Specify PKCS#11 security token URI
--fido2-device=PATH
Enroll a FIDO2-HMAC security token
--fido2-with-client-pin=BOOL
Whether to require entering a PIN to unlock the volume
--fido2-with-user-presence=BOOL
Whether to require user presence to unlock the volume
--fido2-with-user-verification=BOOL
Whether to require user verification to unlock the
volume
--tpm2-device=PATH
Enroll a TPM2 device
--tpm2-pcrs=PCR1+PCR2+PCR3+…
Specify TPM2 PCRs to seal against
--wipe-slot=SLOT1,SLOT2,…
Wipe specified slots
See the systemd-cryptenroll(1) man page for details.
# initial setup
$ dd if=/dev/zero of=encrypted.img bs=1 count=0 seek=100M
$ echo -n "s0s3cur3" | cryptsetup luksFormat encrypted.img -
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: s0s3cur3
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo mkfs.ext4 /dev/mapper/volume
$ sudo mount /dev/mapper/volume /mnt
$ sudo touch /mnt/TPM_TEST
$ ls -la /mnt
drwxr-xr-x 3 root root 4096 Jun 7 15:06 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
drwx------ 2 root root 16384 Jun 7 15:06 lost+found
-rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST
$ sudo umount /dev/mapper/volume
$ sudo cryptsetup luksClose volume
$ ls -la /mnt # empty
# 3: check non-TPM use cases (--password & --recovery-key) of
systemd-cryptenroll have not regressed.
# enroll additional password
$ systemd-cryptenroll --password encrypted.img
🔐 Please enter current passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
🔐 Please enter new passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cr3t
🔐 Please enter new passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img (repeat): s0s3cr3t
New password enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume: s0s3cr3t
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo cryptsetup luksClose volume
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.
# enroll additional recovery-key
$ systemd-cryptenroll --recovery-key encrypted.img
🔐 Please enter current passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
A secret recovery key has been generated for this volume:
🔐 ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt-
nerdujlr
Please save this secret recovery key at a secure location. It may be used to
regain access to the volume if the other configured access credentials have
been lost or forgotten. The recovery key may be entered in place of a password
whenever authentication is requested.
New recovery key enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img
🔐 Please enter passphrase for disk volume:
ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt-nerdujlr
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
$ sudo cryptsetup luksClose volume
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.
# 4: check FIDO2 use case:
$ sudo apt install libfido2-1 # runtime dependency for FIDO2 usage
$ systemd-cryptenroll --fido2-device=list
PATH MANUFACTURER PRODUCT
/dev/hidraw5 Yubico YubiKey OTP+FIDO+CCID
$ systemd-cryptenroll --fido2-device=auto encrypted.img
🔐 Please enter current passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
Requested to lock with PIN, but FIDO2 device /dev/hidraw5 does not support
it, disabling.
Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
Generating secret key on FIDO2 security token.
👆 In order to allow secret key generation, please confirm presence on
security token.
New FIDO2 token enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img -
fido2-device=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
Automatically discovered security FIDO2 token unlocks volume.
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.
$ sudo cryptsetup luksClose volume
$ systemd-cryptenroll --wipe-slot=1 encrypted.img
Wiped slot 1.
# 5: check TPM2 use case:
$ sudo apt install libtss2-rc0 # runtime dependency for TPM usage
$ systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_tis
$ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 encrypted.img
🔐 Please enter current passphrase for disk
/home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3
New TPM2 token enrolled as key slot 1.
$ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img -
tpm2-device=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img.
Automatically discovered security TPM2 token unlocks volume.
# no password needed above!
$ sudo mount /dev/mapper/volume /mnt
$ ls -la /mnt
drwxr-xr-x 3 root root 4096 Jun 7 15:06 .
drwxr-xr-x 20 root root 4096 Apr 20 11:45 ..
drwx------ 2 root root 16384 Jun 7 15:06 lost+found
-rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST
# cleanup
$ sudo umount /dev/mapper/volume
$ sudo cryptsetup luksClose volume
$ ls -la /mnt # empty
$ sudo rm encrypted.img
[Where problems could occur]
* we're enabling a build-flag to allow usage of TPM/FIDO hardware
* running new code paths in systemd due to enablement of a new feature,
could trigger hidden bugs in systemd-cryptsetup, e.g. (un-)locking for
encrypted devices
* new functionality is only active/used if enabled explicitly and suggested
runtime dependencies are manually installed
[Other Info]
* This is not necessarily fall under the HWE SRU policy, as the TPM is
already there, but just can't be used via systemd-cryptencroll
* In a discussion with the SRU team (@vorlon) we agreed that this should be
an exception to the rule, due to low regression risk. As long as it would not
pull in extra dependencies into the default installation, which it doesn't (new
dependencies are only "Suggests:")
* This will be enabled in Kinetic+ as soon as we merge systemd v251 from
Debian:
https://salsa.debian.org/systemd-team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8
=== original description ===
systemd-cryptenroll can make use of tpm2 modules to bind against
secure boot pcrs and enable auto unlocking of luks devices.
Following the instructions here:
https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll
the following commands fail on ubuntu jammy (5.15.0-25-generic)
root@testbox:~# systemd-cryptenroll --tpm2-device=list
TPM2 not supported on this build.
root@testbox:~# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: ***************
root@testbox:~# echo $?
1
It appears that this issue has been resolved in the debian build for
systemd here: https://salsa.debian.org/systemd-
team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8
Can we get the same modifications to the Jammy systemd build?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1969375/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
