Skip to content

Add TPM 1.2 support#462

Merged
sergio-correia merged 18 commits intolatchset:masterfrom
oldium:feature/tpm1
Apr 18, 2026
Merged

Add TPM 1.2 support#462
sergio-correia merged 18 commits intolatchset:masterfrom
oldium:feature/tpm1

Conversation

@oldium
Copy link
Copy Markdown
Contributor

@oldium oldium commented May 5, 2024

This patch series adds TPM 1.2 support and fixes few other things (I can split this into multiple Pull Requests if you wish):

  • Added missing shutdown SystemD dependencies when using DefaultDependencies=no.
  • When Dracut without SystemD is used, benefit cryptsetup unlocking workflow to let it handle the crypttab and other options. This uses pipe to unlock with password similarly like the initramfs-tools image does. See commit message for more details.
  • Added full support for TPM 1.2.

Status:

  • [✅ Done] Clevis encrypt, decrypt, bind support
  • [✅ Done] initramfs-tools support
  • [✅ Done] Systemd support
  • [✅ Done] Manual page for clevis-encrypt-tpm1
  • [✅ Done] Tests for tpm1 pin
  • [✅ Done] Dracut support

Example usage:

  • Boot and unlock with TPM1.2:
    clevis luks bind -d /dev/<device> tpm1 '{"pcr_ids":"0,4,7"}'
  • Encrypt and decrypt:
    echo test | clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' | clevis decrypt

Tested:

  • Tested with initramfs-tools, used both TPM 1.2 and null pins with "fail":true to test success and failed unlocking
  • Tested with Dracut with SystemD. Tested both success and failed cases
  • Tested with Dracut without SystemD (module was disabled). Tested both success and failed cases
  • Tested with Dracut without SystemD (module was disabled), with programmatically changed detection that null pin is a network pin. Tested that with rd.neednet the unlocking happens after network gets online.

Fixes: #84, #456

Comment thread src/initramfs-tools/hooks/clevis.in Fixed
@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from 556332d to 04d5e9f Compare May 5, 2024 22:09
Comment thread src/pins/tang/tests/tang-common-test-functions.in Fixed
@oldium oldium force-pushed the feature/tpm1 branch 4 times, most recently from 2c32eb7 to a7de265 Compare May 8, 2024 14:26
Comment thread src/luks/clevis-luks-tpm1-functions Fixed
Comment thread src/luks/clevis-luks-tpm1-functions Fixed
Comment thread src/luks/clevis-luks-tpm1-functions Fixed
Comment thread src/luks/clevis-luks-tpm1-functions Fixed
Comment thread src/luks/clevis-luks-tpm1-functions Fixed
Comment thread src/luks/dracut/clevis-pin-tpm1/module-setup.sh.in Fixed
Comment thread src/luks/dracut/clevis-pin-tpm1/module-setup.sh.in Fixed
Comment thread src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed
Comment thread src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed
Comment thread src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed
Comment thread src/luks/dracut/clevis/clevis-luks-unlocker.in Fixed
@oldium oldium force-pushed the feature/tpm1 branch 2 times, most recently from b4cc648 to e83e669 Compare June 23, 2024 12:20
Comment thread src/initramfs-tools/scripts/local-top/clevis.in Fixed
Comment thread src/initramfs-tools/scripts/local-top/clevis.in Fixed
Comment thread src/initramfs-tools/scripts/local-top/clevis.in Fixed
Comment thread src/luks/clevis-luks-common-functions.in Fixed
Comment thread src/luks/clevis-luks-common-functions.in Fixed
Comment thread src/luks/dracut/clevis/clevis-password-unlocker.in Fixed
Comment thread src/luks/dracut/clevis/clevis-password-unlocker.in Fixed
Comment thread src/luks/dracut/clevis/clevis-password-unlocker.in Fixed
Comment thread src/luks/dracut/clevis/clevis-password-unlocker.in Fixed
Comment thread src/luks/dracut/clevis/clevis-password-unlocker.in Fixed
@oldium oldium force-pushed the feature/tpm1 branch 3 times, most recently from dc1c5c3 to 40bfdf4 Compare June 23, 2024 13:46
@oldium oldium marked this pull request as ready for review June 23, 2024 14:08
@oldium oldium changed the title [WIP] Add TPM 1.2 support Add TPM 1.2 support Jun 23, 2024
@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Jun 30, 2024

Work is done, pre-built packages for Debian 12 and amd64 arch are available here https://github.com/oldium/clevis/releases/tag/v20_tpm1

@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Jul 3, 2024

The CentOS test build image needs some love, the mirrorlist.centos.org site does not exist any more it seems.
image

@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Jul 3, 2024

Rebased to latest master to fix the build.

Copy link
Copy Markdown
Collaborator

@sergio-correia sergio-correia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oldium: Thanks, I finally had a chance to review this again. Looks very nice, but I pointed a few small issues to fix. Please, also rebase on top of the current master. Also, are you going to autosquash those fixup commits?

Comment thread src/initramfs-tools/hooks/clevis.in Outdated
Comment thread src/initramfs-tools/hooks/clevis.in Outdated
Comment thread src/pins/tpm1/clevis-encrypt-tpm1 Outdated
Comment thread src/tests-common-functions Outdated
Comment thread src/pins/tpm1/clevis-tpm1-tcsd-preload.c Outdated
Comment thread src/pins/tpm1/clevis-tpm1-tcsd-preload.c Outdated
Comment thread src/pins/tpm1/tests/pin-tpm1-tests Outdated
@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Apr 14, 2026

Thanks @sergio-correia for the review, I now feel like a kid. I saw the code so many times and have not noticed that 😅. I will fix all your findings and auto-squash it.

@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Apr 14, 2026

The issue with Dracut 110 is reported here #545

@guilherme-puida
Copy link
Copy Markdown

I commented this in #545 as well, but clevis 20-1ubuntu2 was uploaded with a patch that fixes the ordering issue.

@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Apr 16, 2026

I will rebase onto #549 to create a non-conflicting branch.

oldium added 6 commits April 17, 2026 17:46
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The DefaultDependencies=yes option adds conflicting dependency on the
shutdown.target automatically to ensure the service is terminated during
the shutdown, so add it when we use DefaultDependencies=no.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Current Dracut integration for bootup without Systemd ignores all
cryptsetup options, which are usually handled by Dracut itself (like
reading /etc/crypttab). We need to hook into the Dracut cryptsetup process
in order to allow Dracut handling the options and us handling the password
only.

Dracut uses generated udev rules to create cryptsetup unlocking scripts
in initqueue/settled dynamically when the corresponding device appears. The
unlocking tries to unlock by the key file first and then by password read
from user.

We can hook into the key file reading stage by providing our own pipe and
send the password via the pipe similarly to how the initramfs-tools
clevisloop is doing it. There is one difference, though, we have only one
try to unlock, but that should be enough.

For the network pins (tang and sss/tang at the moment) we can move the
generated Dracut cryptsetup unlocking scripts to initqueue/online to
ensure the unlocking happens at the right time.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
This is useful during testing.

Signed-off-by: Oldřich Jedlička <oldium.pro.gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Apr 17, 2026

Updated, rebased, autosquashed. Ready to be merged 😊

@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Apr 17, 2026

Latest release v22_tpm1 is here https://github.com/oldium/clevis/releases/tag/v22_tpm1 as usual.

Built images:

  • Debian: 14 (Forky), 13 (Trixie), 12 (Bookworm), 11 (Bullseye)
  • Ubuntu: 26.04 (Resolute Raccoon), 25.10 (Questing Quokka), 24.04 (Noble Numbat)
  • CentOS: Stream 10, Stream 9
  • Fedora: 45, 44, 43, 42, 41, 40, 39

Comment thread src/pins/tpm1/clevis-encrypt-tpm1
oldium added 12 commits April 18, 2026 20:32
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
This is a weak requirement, so when TCSD is missing, it does not influence
the Clevis askpass service startup. Similarly if the TCSD startup fails,
it does not affect the Clevis askpass service startup.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The command fails in Docker or otherwise limited environments, so skip the
test when it is not usable.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Fix usage of uninitialized ${orig} value. Also test exactly the string
without having newlines added by echo.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Apr 18, 2026

New packages with fixed PCR validation will arrive soon.

Copy link
Copy Markdown
Collaborator

@sergio-correia sergio-correia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice job, thank you! I will merge this.

@oldium
Copy link
Copy Markdown
Contributor Author

oldium commented Apr 18, 2026

One small step for a man, one giant leap for mankind 😁

Thank you very much!

@akostadinov
Copy link
Copy Markdown

Thank you @oldium , now we can run our old gear for another 15 years!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support for TPM 1.x

10 participants