clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

dependent on tpmrm instead of tpm2-abrmd

Open ackerman76 opened this issue 6 years ago • 3 comments

Thanks for these tools.

I'm trying to do automatic luks volume unlocks on startup with tpm2 and clevis gives me the error that a tpmrm in-kernel resource manager is required.

This is centos 7.6 close to the platform-tracked kernel version 4.4. We are locked to a specific realtime-patched 4.4 kernel for scientific use. I see that tpmrm, the in-kernel resource manager, was added at kernel 4.12. Why is clevis trying to use tpmrm instead of tpm2-abrmd or older tools?

Would a check with warning for kernel < 4.12 help?

I see in the source code where error is generated: https://github.com/latchset/clevis/blob/master/src/pins/tpm2/clevis-decrypt-tpm2

# New environment variable for tpm2-tools >= 3.1
echo "A TPM2 device with the in-kernel resource manager is needed!" >&2

I used package manager to install these tools, but would clevis work if I reduced the version of my tpm2-tools?

Could I trick clevis into using tpm2-abrmd (does clevis use it?), or ditch clevis and do what clevis does on my own manually with a start script to decrypt a luks key from the tpm2?

Thank you again.

ackerman76 avatar Oct 21 '19 15:10 ackerman76

Would a check with warning for kernel < 4.12 help?

No, because it's entirely possible to backport a feature to older kernels. It's better to test for the interface.

superm1 avatar Nov 20 '19 17:11 superm1

No, because it's entirely possible to backport a feature to older kernels. It's better to test for the interface.

Agreed and that's why the clevis tpm2 pin test if a /dev/tpmrm? character device is present.

@ackerman76 the reason why clevis uses the in-kernel resource manager instead of the user-space tpm2-abrmd is that the latter is a D-Bus daemon. But clevis can be run in the initramfs where there isn't a D-Bus system bus, so the only option is to use the in-kernel resource manager in that case.

martinezjavier avatar Nov 20 '19 17:11 martinezjavier

We are using 4.4.189-rt186. There is no in-kernel resource manager until 4.12.

These emulators will be in a lab with no keyboard, video mouse and must restart with automatic unlock.

I'll be reinstalling all without disk encryption because there is no point. I thought maybe in intramfs I could unseal my own key from the TPM 2 chip, but I got 99 problems and they are all linux!

ackerman76 avatar Nov 22 '19 07:11 ackerman76