clevis
clevis copied to clipboard
latchset
clevis in dracut does not run without manually specifying LUKS device
Hi,
I'm trying to let clevis automatically unlock my root partition with TPM2 on boot. My current setup is:
OS: Arch Linux, upgraded to the latest
Disk layout:
% lsblk /dev/nvme0n1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 477G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot
└─nvme0n1p2 259:2 0 476.4G 0 part
└─root 254:0 0 476.4G 0 crypt /
LUKS:
% sudo cryptsetup luksDump /dev/nvme0n1p2
LUKS header information
Version: 2
...
Data segments:
0: crypt
...
Keyslots:
0: luks2
...
1: luks2
...
Tokens:
0: clevis
Keyslot: 1
Digests:
...
dracut configurations:
% cat /etc/dracut.conf.d/*.conf
compress="lz4"
hostonly=yes
hostonly_cmdline=no
add_drivers+=" i915"
early_microcode="no"
omit_dracutmodules+=" bootchart clevis-pin-sss clevis-pin-tang dash dmsquash-live-ntfs multipath stratis cifs fcoe fcoe-uefi iscsi nbd nfs btrfs dmraid lvm mdraid lunmask qemu-net network kernel-network-modules"
uefi_stub="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
kernel command line:
% cat /proc/cmdline
initrd=\intel-ucode.img initrd=\initramfs-linux-zen.img rw systemd.unified_cgroup_hierarchy resume=/dev/mapper/root resume_offset=24977408 intel_iommu=on mitigations=off pcie_aspm=force mem_sleep_default=deep crashkernel=512M
However, it looks like dracut does not even call clevis unless I supply an rd.luks.uuid parameter in the kernel cmdline.
Is this behavior intended, or is this a bug?
