I am facing the same issue (I use clevis with TPM in my case)
> When running the unmodified scripts on a completely booted system, they work.
> So it seems that the '< <(...)' mechanism fails only in initrd (no idea why).
After a slightly deeper inspection, the issue is that initramfs scripts
are called without /dev/fd symlinked to /proc/self/fd.
You can confirm this by patching
/usr/share/initramfs-tools/scripts/local-top/clevis with:
--- clevis
+++ clevis-fixed
@@ -112,6 +112,8 @@
# Set the path how we want it (Probably not all needed)
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin"
+ [ -e /dev/fd ] || ln -s -T /proc/self/fd /dev/fd
+
if [ -x /bin/plymouth ] && plymouth --ping; then
cryptkeyscript='plymouth ask-for-password'
else
With this patch, the clevis-decrypt works at boot.
This is of course not a proper fix. I think the fix should be done
either in initramfs-tools init-* scripts either in systemd/udev itself.
In my case, I can say for sure the clevis-decrypt worked in July. I
don't know which package update has broken the symlink for the clevis
initramfs script.
Best,
Nicolas Bourdaud
