Page 1 of 1

Unsealing LUKS volume with TPM2 module - clevis issue

Posted: 2019/10/24 07:38:00
by n-tchen
Hello everybody,

I'm trying to get a LUKS volume unlocked by the TPM-module on a Dell Optiplex 3060. The binding seems to work fine:

Code: Select all

clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"7"}'

Code: Select all

$ luksmeta show -d /dev/nvme0n1p3
0   active empty
1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
(...)
I got this to work with an Oracle Linux 7.6 instance on the same machine, but with CentOS-8 the systems stops during boot at

Code: Select all

Reached target Basic System
I figured out, that it's related with clevis-dracut respectively with the clevis kernel module. When I deactivate the module with

Code: Select all

dracut -fv --regenerate-all -o "clevis"
(via Rescure-boot) the system boots again, but, of course, the encrypted volume gets not unlocked. I can't get anything useful for me out of journalctl, that's why I'm stuck at this point.

So my questions are how I can get the system to boot with the clevis module enabled respectively how I can find the information I need to solve the stop while booting and if anyone has clevis-dracut installed (and the clevis-kernel-module enabled) and can boot.

Thanks beforehands,
Markus

Re: Unsealing LUKS volume with TPM2 module - clevis issue

Posted: 2019/10/25 11:30:13
by u297b
I'm having a similar issue with clevis, but using clevis with a tang server.

In my case I have a password set for the volume as well as binding to tang server, however if tang server is not available dracut-initqueue enters into some type of race condition and won't boot.

For me, I've found a semi-workable solution...this may not apply to your case, but worth a shot. For me, if I simply wait for dracut-initqueue to finally timeout (takes about 5-10mins of being hung on the reached Base Target message)....eventually it drops me into a dracut shell....at that point, if I simple exit the shell (cntrl-D) boot proceeds normally.

Like you, my C7.7 server used clevis binding without a problem....I'm not sure what changed but something obviously has.