Package: cryptsetup Version: 2:2.6.1-1 Severity: normal X-Debbugs-Cc: redstoneo...@gmail.com
Dear Maintainer, * What led up to the situation? On system with: bookworm, 3 partitions (EFI, /boot, luks-encrypted-rootfs), 1 tpm, I am attempting to use either tpm2 or tpm2-with-pin in systemd-cryptenroll so that on book, my luks2 encrypted rootfs is able to automatically use the hardware tpm (ie. auto-unlock with just tpm or with tpm-pin). Then, update /etc/crypttab with tpm2-device=(tpm path) followed by run "update-initramfs -u" to apply changes I made to crypttab. * Expected outcome: No warnings output from "update-initramfs -u). Then on boot, the system automatically utilises tpm2 to auto unlock or request tpm-pin (if set tpm-with-pin=yes in cryptenroll) * Actual outcome: Both during output of "update-initramfs -u" AND during boot, I see the warning line: "cryptsetup: WARNING: nvme1n1p3_crypt: ignoring unknown option 'tpm2-device'" (also applies to "tpm2-pin" option). Unfortunately, on boot, as per the warning, the tpm remains unused and I am requested the other recovery key/password I have set (totally ignoring the tpm or tpm-with-pin slot within systemd-cryptenroll) * Why do you suspect this is a bug? According to: https://github.com/systemd/systemd/releases/tag/v251-rc1 it says "Option tpm2-pin= can be used in /etc/crypttab." However, as stated above, this is not the case (tpm-device also does not work). Others have experienced something similar: https://askubuntu.com/questions/1370877/unlock-root-disk-with-tpm2-on-impish-indri, https://answers.launchpad.net/ubuntu/+question/702266 with the only half-solution being a third party github patch: https://github.com/wmcelderry/systemd_with_tpm2 * Anything else important? This ONLY AFFECTS the root filesystem (rootfs). If I have another drive with its own encrypted partition, this works NORMALLY with NO errors. This means that on this system, if I add another drive, there will be no warnings from cryptsetup when running update-initramfs -u or on boot for the second drive, however, the warnings for rootfs remain (the second drive works properly with the tpm or tpm-with-pin, but rootfs does not). -- Package-specific info: -- /proc/cmdline BOOT_IMAGE=/vmlinuz-6.1.0-3-amd64 root=/dev/mapper/VG--T-LV--T ro rootflags=subvol=@rootfs quiet -- /etc/crypttab nvme1n1p3_crypt UUID=58c6ddd0-4608-4ecd-b1bb-3ddf8f120cba none tpm2-device=/dev/tpmrm0,luks,discard -- /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # systemd generates mount units based on this file, see systemd.mount(5). # Please run 'systemctl daemon-reload' after making changes here. # # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/VG--T-LV--T / btrfs defaults,subvol=@rootfs 0 0 # /boot was on /dev/nvme1n1p2 during installation UUID=8a4f6861-4780-45c2-8d1a-3c823612d577 /boot ext2 defaults 0 2 # /boot/efi was on /dev/nvme0n1p1 during installation UUID=5468-243A /boot/efi vfat umask=0077 0 1 -- lsmod Module Size Used by mei_hdcp 24576 1 pmt_telemetry 16384 0 pmt_class 16384 1 pmt_telemetry intel_rapl_msr 20480 0 x86_pkg_temp_thermal 20480 0 intel_powerclamp 20480 0 coretemp 20480 0 kvm_intel 380928 0 kvm 1130496 1 kvm_intel irqbypass 16384 1 kvm rapl 20480 0 intel_cstate 20480 0 intel_uncore 212992 0 pcspkr 16384 0 wmi_bmof 16384 0 bnep 28672 2 qrtr 49152 4 binfmt_misc 24576 1 nls_ascii 16384 1 nls_cp437 20480 1 vfat 24576 1 fat 90112 1 vfat snd_sof_pci_intel_tgl 16384 0 snd_sof_intel_hda_common 188416 1 snd_sof_pci_intel_tgl soundwire_intel 49152 1 snd_sof_intel_hda_common soundwire_generic_allocation 16384 1 soundwire_intel soundwire_cadence 40960 1 soundwire_intel snd_sof_intel_hda 20480 1 snd_sof_intel_hda_common snd_sof_pci 24576 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl snd_sof_xtensa_dsp 16384 1 snd_sof_intel_hda_common snd_sof 274432 2 snd_sof_pci,snd_sof_intel_hda_common snd_sof_utils 20480 1 snd_sof snd_soc_hdac_hda 24576 1 snd_sof_intel_hda_common asus_wmi 61440 0 snd_hda_ext_core 40960 2 snd_sof_intel_hda_common,snd_soc_hdac_hda platform_profile 16384 1 asus_wmi snd_soc_acpi_intel_match 73728 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl sparse_keymap 16384 1 asus_wmi ext4 978944 1 iTCO_wdt 16384 0 btusb 65536 0 intel_pmc_bxt 16384 1 iTCO_wdt snd_soc_acpi 16384 2 snd_soc_acpi_intel_match,snd_sof_intel_hda_common iwlwifi 360448 0 snd_soc_core 348160 4 soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_soc_hdac_hda btrtl 28672 1 btusb iTCO_vendor_support 16384 1 iTCO_wdt mbcache 16384 1 ext4 btbcm 24576 1 btusb mei_me 53248 1 watchdog 45056 1 iTCO_wdt snd_compress 28672 1 snd_soc_core btintel 45056 1 btusb btmtk 16384 1 btusb jbd2 167936 1 ext4 soundwire_bus 102400 3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence mei 159744 2 mei_hdcp,mei_me bluetooth 950272 13 btrtl,btmtk,btintel,btbcm,bnep,btusb cfg80211 1122304 1 iwlwifi uvcvideo 131072 0 videobuf2_vmalloc 20480 1 uvcvideo videobuf2_memops 20480 1 videobuf2_vmalloc snd_hda_codec_realtek 167936 1 videobuf2_v4l2 36864 1 uvcvideo videobuf2_common 73728 4 videobuf2_vmalloc,videobuf2_v4l2,uvcvideo,videobuf2_memops snd_hda_codec_generic 98304 1 snd_hda_codec_realtek ledtrig_audio 16384 2 snd_hda_codec_generic,asus_wmi videodev 294912 3 videobuf2_v4l2,uvcvideo,videobuf2_common jitterentropy_rng 16384 1 snd_hda_codec_hdmi 81920 3 drbg 45056 1 mc 77824 4 videodev,videobuf2_v4l2,uvcvideo,videobuf2_common ansi_cprng 16384 0 ecdh_generic 16384 1 bluetooth rfkill 36864 8 asus_wmi,bluetooth,cfg80211 ecc 40960 1 ecdh_generic crc16 16384 2 bluetooth,ext4 snd_hda_intel 57344 5 snd_intel_dspcfg 36864 3 snd_hda_intel,snd_sof,snd_sof_intel_hda_common snd_intel_sdw_acpi 20480 2 snd_sof_intel_hda_common,snd_intel_dspcfg snd_hda_codec 184320 6 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek,snd_soc_hdac_hda,snd_sof_intel_hda intel_vsec 20480 0 snd_hda_core 122880 9 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_ext_core,snd_hda_codec,snd_hda_codec_realtek,snd_sof_intel_hda_common,snd_soc_hdac_hda,snd_sof_intel_hda snd_hwdep 16384 1 snd_hda_codec snd_pcm 159744 11 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec,soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_compress,snd_soc_core,snd_sof_utils,snd_hda_core snd_timer 49152 1 snd_pcm processor_thermal_device_pci 16384 0 processor_thermal_device 20480 1 processor_thermal_device_pci processor_thermal_rfim 16384 1 processor_thermal_device snd 126976 20 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_sof,snd_timer,snd_compress,snd_soc_core,snd_pcm processor_thermal_mbox 16384 2 processor_thermal_rfim,processor_thermal_device processor_thermal_rapl 20480 1 processor_thermal_device intel_rapl_common 32768 2 intel_rapl_msr,processor_thermal_rapl soundcore 16384 1 snd ac 20480 0 int3400_thermal 20480 0 acpi_thermal_rel 16384 1 int3400_thermal intel_pmc_core 53248 0 acpi_tad 20480 0 acpi_pad 184320 0 acpi_als 20480 2 industrialio_triggered_buffer 16384 1 acpi_als kfifo_buf 16384 1 industrialio_triggered_buffer cdc_mbim 20480 0 sg 40960 0 int3403_thermal 20480 0 industrialio 110592 3 industrialio_triggered_buffer,acpi_als,kfifo_buf hid_multitouch 32768 0 joydev 28672 0 int340x_thermal_zone 20480 2 int3403_thermal,processor_thermal_device cdc_wdm 32768 1 cdc_mbim serio_raw 20480 0 evdev 28672 28 msr 16384 0 parport_pc 40960 0 ppdev 24576 0 lp 20480 0 parport 73728 3 parport_pc,lp,ppdev fuse 176128 3 efi_pstore 16384 0 configfs 57344 1 efivarfs 24576 1 ip_tables 36864 0 x_tables 61440 1 ip_tables autofs4 53248 2 btrfs 1773568 1 blake2b_generic 20480 0 xor 24576 1 btrfs raid6_pq 122880 1 btrfs zstd_compress 294912 1 btrfs libcrc32c 16384 1 btrfs crc32c_generic 16384 0 sd_mod 65536 0 dm_crypt 61440 1 dm_mod 184320 6 dm_crypt uas 32768 0 usb_storage 81920 1 uas scsi_mod 282624 4 sd_mod,usb_storage,uas,sg scsi_common 16384 4 scsi_mod,usb_storage,uas,sg cdc_ncm 45056 1 cdc_mbim cdc_ether 24576 1 cdc_ncm usbnet 57344 3 cdc_mbim,cdc_ncm,cdc_ether mii 16384 1 usbnet usbhid 65536 0 hid_generic 16384 0 i915 3330048 4 nouveau 2449408 1 nvme 53248 3 drm_buddy 20480 1 i915 mxm_wmi 16384 1 nouveau i2c_algo_bit 16384 2 i915,nouveau crc32_pclmul 16384 0 xhci_pci 24576 0 nvme_core 159744 4 nvme crc32c_intel 24576 3 drm_display_helper 212992 2 i915,nouveau xhci_hcd 315392 1 xhci_pci t10_pi 16384 2 sd_mod,nvme_core cec 61440 2 drm_display_helper,i915 ghash_clmulni_intel 16384 0 rc_core 69632 1 cec crc64_rocksoft_generic 16384 1 drm_ttm_helper 16384 1 nouveau crc64_rocksoft 20480 1 t10_pi ttm 94208 3 drm_ttm_helper,i915,nouveau crc_t10dif 20480 1 t10_pi sha512_ssse3 49152 1 i2c_hid_acpi 16384 0 crct10dif_generic 16384 0 usbcore 344064 12 xhci_hcd,usbnet,usbhid,cdc_mbim,cdc_ncm,usb_storage,cdc_wdm,uvcvideo,btusb,xhci_pci,cdc_ether,uas drm_kms_helper 229376 3 drm_display_helper,i915,nouveau i2c_hid 32768 1 i2c_hid_acpi intel_lpss_pci 28672 0 crct10dif_pclmul 16384 1 i2c_i801 36864 0 sha512_generic 16384 1 sha512_ssse3 intel_lpss 16384 1 intel_lpss_pci crc64 20480 2 crc64_rocksoft,crc64_rocksoft_generic aesni_intel 393216 2 drm 663552 9 drm_kms_helper,drm_display_helper,drm_buddy,drm_ttm_helper,i915,ttm,nouveau psmouse 184320 0 crypto_simd 16384 1 aesni_intel cryptd 28672 3 crypto_simd,ghash_clmulni_intel thunderbolt 376832 0 i2c_smbus 20480 1 i2c_i801 hid 155648 4 i2c_hid,usbhid,hid_multitouch,hid_generic idma64 20480 0 usb_common 16384 3 xhci_hcd,usbcore,uvcvideo crct10dif_common 16384 3 crct10dif_generic,crc_t10dif,crct10dif_pclmul fan 20480 0 video 65536 3 asus_wmi,i915,nouveau battery 28672 1 asus_wmi wmi 36864 5 video,asus_wmi,wmi_bmof,mxm_wmi,nouveau button 24576 1 nouveau -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-3-amd64 (SMP w/20 CPU threads; PREEMPT) Kernel taint flags: TAINT_DIE, TAINT_WARN Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cryptsetup depends on: ii cryptsetup-bin 2:2.6.1-1 ii debconf [debconf-2.0] 1.5.82 ii dmsetup 2:1.02.185-2 ii libc6 2.36-8 cryptsetup recommends no packages. Versions of packages cryptsetup suggests: ii cryptsetup-initramfs 2:2.6.1-1 ii dosfstools 4.2-1 pn keyutils <none> ii liblocale-gettext-perl 1.07-5 -- debconf information: cryptsetup/prerm_active_mappings: true
