Bug#934923: clevis: [dracut-initqueue] cryptsetup: command not found

Fri, 16 Aug 2019 09:45:39 -0700 

Package: clevis
Version: 11-2
Severity: important

Dear Maintainer,

I am trying to use the tpm2 luks binding to non-interactively unlock a
partition during boot.

During `dracut-initqueue` on boot I get an error in `clevis-luks-askpass`
saying that
`cryptsetup` cannot be found on lines 52 and 67. This is despite `cryptsetup`
clearly
being placed in `usr/sbin/cryptsetup` during `dracut -f`.

```
$ sudo lsinitramfs /boot/initramfs-5.0.0-25-generic.img | grep cryptsetup
usr/lib/systemd/system-generators/systemd-cryptsetup-generator
usr/lib/systemd/system/cryptsetup.target
usr/lib/systemd/system/sysinit.target.wants/cryptsetup.target
usr/lib/systemd/systemd-cryptsetup
usr/lib/x86_64-linux-gnu/libcryptsetup.so
usr/lib/x86_64-linux-gnu/libcryptsetup.so.12
usr/lib/x86_64-linux-gnu/libcryptsetup.so.12.4.0
usr/sbin/cryptsetup
```

This script enumerates the steps to reproduce this bug on a clean Debian 10
installation, using clevis 11-1. I have Debian installed as VMWare Fusion 11.1
guest with
a virtualized TPM and booting UEFI.

```
sudo apt install -y dracut clevis clevis-dracut clevis-udisks2 clevis-luks
clevis-tpm2

# Before continuing, remove `clevis-decrypt-http`
# from `/usr/lib/dracut/modules.d/60clevis/module-setup.sh` line 39
sudo cryptsetup luksDump /dev/sda3
# Clear all key slots except 0
for ks in {1..7}
do
    sudo clevis luks unbind -d /dev/sda3 -s $ks
done

sudo tpm2_pcrlist
sudo tpm2_takeownership -c
sudo tpm2_pcrlist
echo "TPM Decryption Success" | sudo clevis encrypt tpm2 '{}' > hi.jwe
sudo clevis decrypt < hi.jwe

sudo clevis luks bind -d /dev/sda3 tpm2 '{}'
sudo cryptsetup luksDump /dev/sda3
sudo dracut -fv --regenerate-all
```

After completing these steps, shut down and then boot.



-- System Information:
Debian Release: 10.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clevis depends on:
ii  cracklib-runtime    2.9.6-2
ii  curl                7.64.0-4
ii  jose                10-2
ii  libc6               2.28-10
ii  libjansson4         2.12-1
ii  libjose0            10-2
ii  libpwquality-tools  1.4.0-3
ii  libssl1.1           1.1.1c-1
ii  luksmeta            9-3

Versions of packages clevis recommends:
ii  cryptsetup-bin  2:2.1.0-5

clevis suggests no packages.

-- no debconf information

Reply via email to