tpm2-initramfs-tool icon indicating copy to clipboard operation
tpm2-initramfs-tool copied to clipboard
verified publisher icon timchen119

initramfs hook needs minor modifications for Ubuntu 20

Open EmperorArthur opened this issue 5 years ago • 1 comments

Hello,

I have found this tool extremely useful. Especially since it is significantly more user friendly than when dealing with tpm2-tools.

However, I found that I had to modify your Readme instructions some to get it to work in initramfs on Ubuntu 20.

  • The recommended Ubuntu hook location is "/etc/initramfs-tools/", not "/etc/initramfs"
  • I used "/usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0" instead of "/usr/bin/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0"
    • Copying the symlink does also copy the regular file, but you could probably get away with the current one
    • The major difference is the "lib" vs "bin" change.

If possible, you might consider talking to the Debian/Ubuntu packager about adding a post-install hook to automatically create the initramfs-tools hook. That way, the Ubuntu process would be as simple as install and use.

Edit:

If a hook is added via script, then it should go in '/usr/share/initramfs-tools/hooks'.

Another option, possible done in addition to the hook, is to specifically make your program depend on "libtss2-tcti-device.so.0" in the "Dynamic Section". You can check that via objdump -p /usr/bin/tpm2-initramfs-tool. It seems that 'copy_exec' reads that information, so directly depending on it may allow things to "just work."

This solution has a major advantage. When "keyscript=..." is added to crypttab, and the hook is not in place, the file is automatically copied regardless! However, it obviously won't work without "libtss2-tcti-device.so.0", and the error message isn't informative.

Another way of looking at it is the program doesn't work out of the box, and the man page doesn't explain what's wrong either. Worse, because of the "helpful" behavior of the system, the program appears to have been copied correctly, but gives an extremely unhelpful error message.

Error added so others can Google and fix the issue:

If you are seeing this error during boot:

ERROR:tcti:src/tss2-tcti/tctildr-dl.c:248:tctildr_get_default() No standard TCTI could be loaded
ERROR:tcti:src/tss2-tcti/tctildr.c:418:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
ERROR:esys:src/tss2-esys/esys_context.c:69:Esys_Initialize() Initialize default tcti.  ErrorCode (0x000a000a)
ERROR in pcr_unseal (src/libtpm2-initramfs-tool.c:387): 0x000a000a

You can fix it by creating "/etc/initramfs-tools/hooks/tpm2-initramfs-tool" with the contents:

. /usr/share/initramfs-tools/hook-functions

copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0
copy_exec /usr/bin/tpm2-initramfs-tool

Then run sudo update-initramfs -u

EmperorArthur avatar Jul 30 '20 14:07 EmperorArthur

Thanks for the valuable feedback! I've update README with the commit e6682e4 based on what you have mentioned. Will find some time to work on the Debian package part and it would be more than welcome to get a PR when you found anything may help.

timchen119 avatar Aug 03 '20 07:08 timchen119