Thank you for the review! Turns out there is a new binary dependency after all: "libssl3", but fortunately that one is already installed by default, so should still be fine.
I've added test-case #1 (binary-depends), #2 (undefined-symbols), #3 (non-tpm/password/recovery-key), #4 (fido2) in addition to the previous test case #5 (tpm2). PTAL. ** Description changed: [Impact] * TPM2/FIDO cannot be used to unlock luks encrpyted block devices * due to missing build-time support in systemd * Error message: "TPM2 not supported on this build." [Test Plan] - # prepare test - $ sudo apt install libtss2-rc0 # runtime dependency for TPM usage + # 1: check no new binary deps have been introduced to the systemd package, other than "libssl3", which is already installed by default. + # Compare to this version of systemd 249.11-0ubuntu3.1: + $ apt-cache depends systemd + systemd + PreDepends: libblkid1 + PreDepends: libc6 + PreDepends: libcap2 + PreDepends: libgcrypt20 + PreDepends: liblz4-1 + PreDepends: liblzma5 + PreDepends: libselinux1 + PreDepends: libzstd1 + Depends: libacl1 + Depends: libapparmor1 + Depends: libaudit1 + Depends: libcrypt1 + Depends: libcryptsetup12 + Depends: libgnutls30 + Depends: libgpg-error0 + Depends: libip4tc2 + Depends: libkmod2 + Depends: liblz4-1 + Depends: libmount1 + Depends: libpam0g + Depends: libseccomp2 + Depends: libsystemd0 + Depends: util-linux + Depends: mount + Depends: adduser + Conflicts: <consolekit> + Conflicts: <libpam-ck-connector> + Conflicts: <systemd-shim> + Breaks: resolvconf + Breaks: udev + |Recommends: <default-dbus-system-bus> + dbus + Recommends: <dbus-system-bus> + dbus-broker + dbus + Recommends: networkd-dispatcher + |Recommends: systemd-timesyncd + Recommends: <time-daemon> + chrony + ntp + ntpsec + openntpd + systemd-timesyncd + Suggests: systemd-container + Suggests: policykit-1 + + # 2: check that systemd-cryptenroll doesn't have any undefined symbols that prevent it from running: + $ systemd-cryptenroll --help # this should not crash + systemd-cryptenroll [OPTIONS...] BLOCK-DEVICE + + Enroll a security token or authentication credential to a LUKS volume. + + -h --help Show this help + --version Show package version + --password Enroll a user-supplied password + --recovery-key Enroll a recovery key + --pkcs11-token-uri=URI + Specify PKCS#11 security token URI + --fido2-device=PATH + Enroll a FIDO2-HMAC security token + --fido2-with-client-pin=BOOL + Whether to require entering a PIN to unlock the volume + --fido2-with-user-presence=BOOL + Whether to require user presence to unlock the volume + --fido2-with-user-verification=BOOL + Whether to require user verification to unlock the volume + --tpm2-device=PATH + Enroll a TPM2 device + --tpm2-pcrs=PCR1+PCR2+PCR3+… + Specify TPM2 PCRs to seal against + --wipe-slot=SLOT1,SLOT2,… + Wipe specified slots + + See the systemd-cryptenroll(1) man page for details. + + # initial setup $ dd if=/dev/zero of=encrypted.img bs=1 count=0 seek=100M $ echo -n "s0s3cur3" | cryptsetup luksFormat encrypted.img - $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img - 🔐 Please enter passphrase for disk volume: s0s3cure + 🔐 Please enter passphrase for disk volume: s0s3cur3 Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. $ sudo mkfs.ext4 /dev/mapper/volume $ sudo mount /dev/mapper/volume /mnt $ sudo touch /mnt/TPM_TEST $ ls -la /mnt drwxr-xr-x 3 root root 4096 Jun 7 15:06 . drwxr-xr-x 20 root root 4096 Apr 20 11:45 .. drwx------ 2 root root 16384 Jun 7 15:06 lost+found -rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST $ sudo umount /dev/mapper/volume $ sudo cryptsetup luksClose volume $ ls -la /mnt # empty - # use TPM + # 3: check non-TPM use cases (--password & --recovery-key) of systemd-cryptenroll have not regressed. + # enroll additional password + $ systemd-cryptenroll --password encrypted.img + 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 + 🔐 Please enter new passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cr3t + 🔐 Please enter new passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img (repeat): s0s3cr3t + New password enrolled as key slot 1. + $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img + 🔐 Please enter passphrase for disk volume: s0s3cr3t + Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. + $ sudo cryptsetup luksClose volume + $ systemd-cryptenroll --wipe-slot=1 encrypted.img + Wiped slot 1. + + # enroll additional recovery-key + $ systemd-cryptenroll --recovery-key encrypted.img + 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 + A secret recovery key has been generated for this volume: + + 🔐 ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt- + nerdujlr + + Please save this secret recovery key at a secure location. It may be used to + regain access to the volume if the other configured access credentials have + been lost or forgotten. The recovery key may be entered in place of a password + whenever authentication is requested. + New recovery key enrolled as key slot 1. + $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img + 🔐 Please enter passphrase for disk volume: ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt-nerdujlr + Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. + $ sudo cryptsetup luksClose volume + $ systemd-cryptenroll --wipe-slot=1 encrypted.img + Wiped slot 1. + + # 4: check FIDO2 use case: + $ sudo apt install libfido2-1 # runtime dependency for FIDO2 usage + $ systemd-cryptenroll --fido2-device=list + PATH MANUFACTURER PRODUCT + /dev/hidraw5 Yubico YubiKey OTP+FIDO+CCID + $ systemd-cryptenroll --fido2-device=auto encrypted.img + 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 + Requested to lock with PIN, but FIDO2 device /dev/hidraw5 does not support it, disabling. + Initializing FIDO2 credential on security token. + 👆 (Hint: This might require confirmation of user presence on security token.) + Generating secret key on FIDO2 security token. + 👆 In order to allow secret key generation, please confirm presence on security token. + New FIDO2 token enrolled as key slot 1. + $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img - fido2-device=auto + Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. + Automatically discovered security FIDO2 token unlocks volume. + Asking FIDO2 token for authentication. + 👆 Please confirm presence on security token to unlock. + $ sudo cryptsetup luksClose volume + $ systemd-cryptenroll --wipe-slot=1 encrypted.img + Wiped slot 1. + + # 5: check TPM2 use case: + $ sudo apt install libtss2-rc0 # runtime dependency for TPM usage $ systemd-cryptenroll --tpm2-device=list PATH DEVICE DRIVER /dev/tpmrm0 MSFT0101:00 tpm_tis $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 encrypted.img 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 New TPM2 token enrolled as key slot 1. $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img - tpm2-device=auto Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. Automatically discovered security TPM2 token unlocks volume. # no password needed above! $ sudo mount /dev/mapper/volume /mnt $ ls -la /mnt drwxr-xr-x 3 root root 4096 Jun 7 15:06 . drwxr-xr-x 20 root root 4096 Apr 20 11:45 .. drwx------ 2 root root 16384 Jun 7 15:06 lost+found -rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST - #cleanup + # cleanup $ sudo umount /dev/mapper/volume $ sudo cryptsetup luksClose volume $ ls -la /mnt # empty $ sudo rm encrypted.img [Where problems could occur] * we're enabling a build-flag to allow usage of TPM/FIDO hardware * running new code paths in systemd due to enablement of a new feature, could trigger hidden bugs in systemd-cryptsetup, e.g. (un-)locking for encrypted devices * new functionality is only active/used if enabled explicitly and suggested runtime dependencies are manually installed [Other Info] * This is not necessarily fall under the HWE SRU policy, as the TPM is already there, but just can't be used via systemd-cryptencroll * In a discussion with the SRU team (@vorlon) we agreed that this should be an exception to the rule, due to low regression risk. As long as it would not pull in extra dependencies into the default installation, which it doesn't (new dependencies are only "Suggests:") * This will be enabled in Kinetic+ as soon as we merge systemd v251 from Debian: https://salsa.debian.org/systemd-team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8 === original description === systemd-cryptenroll can make use of tpm2 modules to bind against secure boot pcrs and enable auto unlocking of luks devices. Following the instructions here: https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll the following commands fail on ubuntu jammy (5.15.0-25-generic) root@testbox:~# systemd-cryptenroll --tpm2-device=list TPM2 not supported on this build. root@testbox:~# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda3 🔐 Please enter current passphrase for disk /dev/sda3: *************** root@testbox:~# echo $? 1 It appears that this issue has been resolved in the debian build for systemd here: https://salsa.debian.org/systemd- team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8 Can we get the same modifications to the Jammy systemd build? ** Changed in: systemd (Ubuntu Jammy) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1969375 Title: systemd-cryptenroll does not support TPM2 devices Status in systemd package in Ubuntu: Triaged Status in systemd source package in Jammy: In Progress Status in systemd source package in Kinetic: Triaged Bug description: [Impact] * TPM2/FIDO cannot be used to unlock luks encrpyted block devices * due to missing build-time support in systemd * Error message: "TPM2 not supported on this build." [Test Plan] # 1: check no new binary deps have been introduced to the systemd package, other than "libssl3", which is already installed by default. # Compare to this version of systemd 249.11-0ubuntu3.1: $ apt-cache depends systemd systemd PreDepends: libblkid1 PreDepends: libc6 PreDepends: libcap2 PreDepends: libgcrypt20 PreDepends: liblz4-1 PreDepends: liblzma5 PreDepends: libselinux1 PreDepends: libzstd1 Depends: libacl1 Depends: libapparmor1 Depends: libaudit1 Depends: libcrypt1 Depends: libcryptsetup12 Depends: libgnutls30 Depends: libgpg-error0 Depends: libip4tc2 Depends: libkmod2 Depends: liblz4-1 Depends: libmount1 Depends: libpam0g Depends: libseccomp2 Depends: libsystemd0 Depends: util-linux Depends: mount Depends: adduser Conflicts: <consolekit> Conflicts: <libpam-ck-connector> Conflicts: <systemd-shim> Breaks: resolvconf Breaks: udev |Recommends: <default-dbus-system-bus> dbus Recommends: <dbus-system-bus> dbus-broker dbus Recommends: networkd-dispatcher |Recommends: systemd-timesyncd Recommends: <time-daemon> chrony ntp ntpsec openntpd systemd-timesyncd Suggests: systemd-container Suggests: policykit-1 # 2: check that systemd-cryptenroll doesn't have any undefined symbols that prevent it from running: $ systemd-cryptenroll --help # this should not crash systemd-cryptenroll [OPTIONS...] BLOCK-DEVICE Enroll a security token or authentication credential to a LUKS volume. -h --help Show this help --version Show package version --password Enroll a user-supplied password --recovery-key Enroll a recovery key --pkcs11-token-uri=URI Specify PKCS#11 security token URI --fido2-device=PATH Enroll a FIDO2-HMAC security token --fido2-with-client-pin=BOOL Whether to require entering a PIN to unlock the volume --fido2-with-user-presence=BOOL Whether to require user presence to unlock the volume --fido2-with-user-verification=BOOL Whether to require user verification to unlock the volume --tpm2-device=PATH Enroll a TPM2 device --tpm2-pcrs=PCR1+PCR2+PCR3+… Specify TPM2 PCRs to seal against --wipe-slot=SLOT1,SLOT2,… Wipe specified slots See the systemd-cryptenroll(1) man page for details. # initial setup $ dd if=/dev/zero of=encrypted.img bs=1 count=0 seek=100M $ echo -n "s0s3cur3" | cryptsetup luksFormat encrypted.img - $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img 🔐 Please enter passphrase for disk volume: s0s3cur3 Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. $ sudo mkfs.ext4 /dev/mapper/volume $ sudo mount /dev/mapper/volume /mnt $ sudo touch /mnt/TPM_TEST $ ls -la /mnt drwxr-xr-x 3 root root 4096 Jun 7 15:06 . drwxr-xr-x 20 root root 4096 Apr 20 11:45 .. drwx------ 2 root root 16384 Jun 7 15:06 lost+found -rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST $ sudo umount /dev/mapper/volume $ sudo cryptsetup luksClose volume $ ls -la /mnt # empty # 3: check non-TPM use cases (--password & --recovery-key) of systemd-cryptenroll have not regressed. # enroll additional password $ systemd-cryptenroll --password encrypted.img 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 🔐 Please enter new passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cr3t 🔐 Please enter new passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img (repeat): s0s3cr3t New password enrolled as key slot 1. $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img 🔐 Please enter passphrase for disk volume: s0s3cr3t Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. $ sudo cryptsetup luksClose volume $ systemd-cryptenroll --wipe-slot=1 encrypted.img Wiped slot 1. # enroll additional recovery-key $ systemd-cryptenroll --recovery-key encrypted.img 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 A secret recovery key has been generated for this volume: 🔐 ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt- nerdujlr Please save this secret recovery key at a secure location. It may be used to regain access to the volume if the other configured access credentials have been lost or forgotten. The recovery key may be entered in place of a password whenever authentication is requested. New recovery key enrolled as key slot 1. $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img 🔐 Please enter passphrase for disk volume: ubiegrcg-bfeheelf-bgribntv-rnefnhcn-bttrjren-jiclvrkj-klegcvdt-nerdujlr Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. $ sudo cryptsetup luksClose volume $ systemd-cryptenroll --wipe-slot=1 encrypted.img Wiped slot 1. # 4: check FIDO2 use case: $ sudo apt install libfido2-1 # runtime dependency for FIDO2 usage $ systemd-cryptenroll --fido2-device=list PATH MANUFACTURER PRODUCT /dev/hidraw5 Yubico YubiKey OTP+FIDO+CCID $ systemd-cryptenroll --fido2-device=auto encrypted.img 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 Requested to lock with PIN, but FIDO2 device /dev/hidraw5 does not support it, disabling. Initializing FIDO2 credential on security token. 👆 (Hint: This might require confirmation of user presence on security token.) Generating secret key on FIDO2 security token. 👆 In order to allow secret key generation, please confirm presence on security token. New FIDO2 token enrolled as key slot 1. $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img - fido2-device=auto Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. Automatically discovered security FIDO2 token unlocks volume. Asking FIDO2 token for authentication. 👆 Please confirm presence on security token to unlock. $ sudo cryptsetup luksClose volume $ systemd-cryptenroll --wipe-slot=1 encrypted.img Wiped slot 1. # 5: check TPM2 use case: $ sudo apt install libtss2-rc0 # runtime dependency for TPM usage $ systemd-cryptenroll --tpm2-device=list PATH DEVICE DRIVER /dev/tpmrm0 MSFT0101:00 tpm_tis $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 encrypted.img 🔐 Please enter current passphrase for disk /home/lukas/canonical/systemd-dbg/encrypted.img: s0s3cur3 New TPM2 token enrolled as key slot 1. $ sudo /usr/lib/systemd/systemd-cryptsetup attach volume encrypted.img - tpm2-device=auto Set cipher aes, mode xts-plain64, key size 512 bits for device encrypted.img. Automatically discovered security TPM2 token unlocks volume. # no password needed above! $ sudo mount /dev/mapper/volume /mnt $ ls -la /mnt drwxr-xr-x 3 root root 4096 Jun 7 15:06 . drwxr-xr-x 20 root root 4096 Apr 20 11:45 .. drwx------ 2 root root 16384 Jun 7 15:06 lost+found -rw-r--r-- 1 root root 0 Jun 7 15:06 TPM_TEST # cleanup $ sudo umount /dev/mapper/volume $ sudo cryptsetup luksClose volume $ ls -la /mnt # empty $ sudo rm encrypted.img [Where problems could occur] * we're enabling a build-flag to allow usage of TPM/FIDO hardware * running new code paths in systemd due to enablement of a new feature, could trigger hidden bugs in systemd-cryptsetup, e.g. (un-)locking for encrypted devices * new functionality is only active/used if enabled explicitly and suggested runtime dependencies are manually installed [Other Info] * This is not necessarily fall under the HWE SRU policy, as the TPM is already there, but just can't be used via systemd-cryptencroll * In a discussion with the SRU team (@vorlon) we agreed that this should be an exception to the rule, due to low regression risk. As long as it would not pull in extra dependencies into the default installation, which it doesn't (new dependencies are only "Suggests:") * This will be enabled in Kinetic+ as soon as we merge systemd v251 from Debian: https://salsa.debian.org/systemd-team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8 === original description === systemd-cryptenroll can make use of tpm2 modules to bind against secure boot pcrs and enable auto unlocking of luks devices. Following the instructions here: https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll the following commands fail on ubuntu jammy (5.15.0-25-generic) root@testbox:~# systemd-cryptenroll --tpm2-device=list TPM2 not supported on this build. root@testbox:~# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda3 🔐 Please enter current passphrase for disk /dev/sda3: *************** root@testbox:~# echo $? 1 It appears that this issue has been resolved in the debian build for systemd here: https://salsa.debian.org/systemd- team/systemd/-/commit/6b5e99f1d7f63c0c83007de9f98f7745f4a564f8 Can we get the same modifications to the Jammy systemd build? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1969375/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
