Add TPM 1.2 support by oldium · Pull Request #462 · latchset/clevis

oldium · 2024-05-05T21:34:49Z

This patch series adds TPM 1.2 support and fixes few other things (I can split this into multiple Pull Requests if you wish):

Added missing shutdown SystemD dependencies when using DefaultDependencies=no.
When Dracut without SystemD is used, benefit cryptsetup unlocking workflow to let it handle the crypttab and other options. This uses pipe to unlock with password similarly like the initramfs-tools image does. See commit message for more details.
Added full support for TPM 1.2.

Status:

[✅ Done] Clevis encrypt, decrypt, bind support
[✅ Done] initramfs-tools support
[✅ Done] Systemd support
[✅ Done] Manual page for clevis-encrypt-tpm1
[✅ Done] Tests for tpm1 pin
[✅ Done] Dracut support

Example usage:

Boot and unlock with TPM1.2:
clevis luks bind -d /dev/<device> tpm1 '{"pcr_ids":"0,4,7"}'
Encrypt and decrypt:
echo test | clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' | clevis decrypt

Tested:

Tested with initramfs-tools, used both TPM 1.2 and null pins with "fail":true to test success and failed unlocking
Tested with Dracut with SystemD. Tested both success and failed cases
Tested with Dracut without SystemD (module was disabled). Tested both success and failed cases
Tested with Dracut without SystemD (module was disabled), with programmatically changed detection that null pin is a network pin. Tested that with rd.neednet the unlocking happens after network gets online.

Fixes: #84, #456

oldium · 2024-06-30T16:54:54Z

Work is done, pre-built packages for Debian 12 and amd64 arch are available here https://github.com/oldium/clevis/releases/tag/v20_tpm1

oldium · 2024-07-03T07:49:22Z

The CentOS test build image needs some love, the mirrorlist.centos.org site does not exist any more it seems.

oldium · 2024-07-03T20:48:39Z

Rebased to latest master to fix the build.

sergio-correia

@oldium: Thanks, I finally had a chance to review this again. Looks very nice, but I pointed a few small issues to fix. Please, also rebase on top of the current master. Also, are you going to autosquash those fixup commits?

oldium · 2026-04-14T14:30:06Z

Thanks @sergio-correia for the review, I now feel like a kid. I saw the code so many times and have not noticed that 😅. I will fix all your findings and auto-squash it.

oldium · 2026-04-14T17:12:53Z

The issue with Dracut 110 is reported here #545

guilherme-puida · 2026-04-15T14:44:23Z

I commented this in #545 as well, but clevis 20-1ubuntu2 was uploaded with a patch that fixes the ordering issue.

oldium · 2026-04-16T22:18:53Z

I will rebase onto #549 to create a non-conflicting branch.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

The DefaultDependencies=yes option adds conflicting dependency on the shutdown.target automatically to ensure the service is terminated during the shutdown, so add it when we use DefaultDependencies=no. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

Current Dracut integration for bootup without Systemd ignores all cryptsetup options, which are usually handled by Dracut itself (like reading /etc/crypttab). We need to hook into the Dracut cryptsetup process in order to allow Dracut handling the options and us handling the password only. Dracut uses generated udev rules to create cryptsetup unlocking scripts in initqueue/settled dynamically when the corresponding device appears. The unlocking tries to unlock by the key file first and then by password read from user. We can hook into the key file reading stage by providing our own pipe and send the password via the pipe similarly to how the initramfs-tools clevisloop is doing it. There is one difference, though, we have only one try to unlock, but that should be enough. For the network pins (tang and sss/tang at the moment) we can move the generated Dracut cryptsetup unlocking scripts to initqueue/online to ensure the unlocking happens at the right time. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

This is useful during testing. Signed-off-by: Oldřich Jedlička <oldium.pro.gmail.com>

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

oldium · 2026-04-17T19:19:12Z

Updated, rebased, autosquashed. Ready to be merged 😊

oldium · 2026-04-17T19:27:53Z

Latest release v22_tpm1 is here https://github.com/oldium/clevis/releases/tag/v22_tpm1 as usual.

Built images:

Debian: 14 (Forky), 13 (Trixie), 12 (Bookworm), 11 (Bullseye)
Ubuntu: 26.04 (Resolute Raccoon), 25.10 (Questing Quokka), 24.04 (Noble Numbat)
CentOS: Stream 10, Stream 9
Fedora: 45, 44, 43, 42, 41, 40, 39

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

This is a weak requirement, so when TCSD is missing, it does not influence the Clevis askpass service startup. Similarly if the TCSD startup fails, it does not affect the Clevis askpass service startup. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

The command fails in Docker or otherwise limited environments, so skip the test when it is not usable. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

Fix usage of uninitialized ${orig} value. Also test exactly the string without having newlines added by echo. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

oldium · 2026-04-18T18:38:54Z

New packages with fixed PCR validation will arrive soon.

sergio-correia

Very nice job, thank you! I will merge this.

oldium · 2026-04-18T22:46:46Z

One small step for a man, one giant leap for mankind 😁

Thank you very much!

akostadinov · 2026-04-20T17:53:25Z

Thank you @oldium , now we can run our old gear for another 15 years!

github-advanced-security AI found potential problems May 5, 2024

View reviewed changes

Comment thread src/initramfs-tools/hooks/clevis.in Fixed

oldium force-pushed the feature/tpm1 branch 2 times, most recently from 556332d to 04d5e9f Compare May 5, 2024 22:09

github-advanced-security AI found potential problems May 5, 2024

View reviewed changes

Comment thread src/pins/tang/tests/tang-common-test-functions.in Fixed

oldium force-pushed the feature/tpm1 branch 4 times, most recently from 2c32eb7 to a7de265 Compare May 8, 2024 14:26

oldium force-pushed the feature/tpm1 branch from a7de265 to d0b6fdb Compare June 18, 2024 19:36

github-advanced-security AI found potential problems Jun 18, 2024

View reviewed changes

oldium force-pushed the feature/tpm1 branch from d0b6fdb to a13d426 Compare June 18, 2024 19:50

github-advanced-security AI found potential problems Jun 18, 2024

View reviewed changes

Comment thread src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed

oldium force-pushed the feature/tpm1 branch 2 times, most recently from b4cc648 to e83e669 Compare June 23, 2024 12:20

github-advanced-security AI found potential problems Jun 23, 2024

View reviewed changes

oldium force-pushed the feature/tpm1 branch 3 times, most recently from dc1c5c3 to 40bfdf4 Compare June 23, 2024 13:46

oldium marked this pull request as ready for review June 23, 2024 14:08

oldium changed the title ~~[WIP] Add TPM 1.2 support~~ Add TPM 1.2 support Jun 23, 2024

oldium mentioned this pull request Jun 23, 2024

Dracut fails to boot with Clevis 20 #456

Open

oldium force-pushed the feature/tpm1 branch from 40bfdf4 to ad0d447 Compare June 23, 2024 14:51

oldium mentioned this pull request Jun 30, 2024

Dracut module issue detecting TANG for "rd.neednet" injection #468

Open

oldium force-pushed the feature/tpm1 branch 2 times, most recently from 000c78a to b79a306 Compare July 2, 2024 20:39

oldium mentioned this pull request Jul 2, 2024

TPM 1.2 chip not supported? A TPM2 device with the in-kernel resource manager is needed! #256

Closed

oldium force-pushed the feature/tpm1 branch from b79a306 to d56a4d5 Compare July 3, 2024 20:46

sergio-correia requested changes Apr 14, 2026

View reviewed changes

oldium added 6 commits April 17, 2026 17:46

luks: fix tests not testing the values

4571e62

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

luks: allow reading used set of pins by clevis scripts

c5d200c

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

luks: support printing the null pin configuration

0b432dd

This is useful during testing. Signed-off-by: Oldřich Jedlička <oldium.pro.gmail.com>

tests: introduce common test functions shared between tests

26cd424

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

sergio-correia reviewed Apr 18, 2026

View reviewed changes

Comment thread src/pins/tpm1/clevis-encrypt-tpm1

oldium added 12 commits April 18, 2026 20:32

tpm1: added encrypt and decrypt support for TPM 1.2 as tpm1 pin

42c2036

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

tpm1: added TPM 1.2 (tpm1 pin) tests

1b6f079

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

tpm1: added TPM 1.2 (tpm1 pin) documentation

c14786f

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

initramfs: added TPM 1.2 support for initramfs-tools

59a93f8

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

dracut: added TPM 1.2 support for Dracut

490bd07

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

tpm1: allow testing tpm1 pin in CI build

8aad940

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

tpm2: added TPM 2 software TPM tests

b094da7

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

initramfs: fix running on root-only readable initrd filesystem

7649e6b

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

luks: check if keyutils are usable before running tests

f4946aa

The command fails in Docker or otherwise limited environments, so skip the test when it is not usable. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

tpm2: fix wrong expected value usage

f160b84

Fix usage of uninitialized ${orig} value. Also test exactly the string without having newlines added by echo. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

template: add precondition checks during installation into initrd

5b13469

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

sergio-correia approved these changes Apr 18, 2026

View reviewed changes

Conversation

oldium commented May 5, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

oldium commented Jun 30, 2024

Uh oh!

oldium commented Jul 3, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oldium commented Jul 3, 2024

Uh oh!

sergio-correia left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

oldium commented Apr 14, 2026

Uh oh!

oldium commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

guilherme-puida commented Apr 15, 2026

Uh oh!

oldium commented Apr 16, 2026

Uh oh!

oldium commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oldium commented Apr 17, 2026

Uh oh!

Uh oh!

oldium commented Apr 18, 2026

Uh oh!

sergio-correia left a comment

Choose a reason for hiding this comment

Uh oh!

oldium commented Apr 18, 2026

Uh oh!

akostadinov commented Apr 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

oldium commented May 5, 2024 •

edited

Loading

oldium commented Jul 3, 2024 •

edited

Loading

oldium commented Apr 14, 2026 •

edited

Loading

oldium commented Apr 17, 2026 •

edited

Loading