linux
linux copied to clipboard
xanmod 5.19 breaks systemd-cryptenroll / tpm support
Both the default Arch kernels 5.18.x, 5.19.x and Xanmod 5.18.x reliably can take their LUKS secret from the tpm2 chip after it is enrolled with systemd-cryptenroll.
However Xanmod 5.19 breaks this functionality (same config as the working 5.18) with fallback on having to enter the passphrase (if there is one stored in a LUKS slot).
Not sure where to look for useful debug info.
To confirm, could you build a kernel with CONFIG_KEXEC_PURGATORY_SKIP_SIG disabled?
Thank you for your attention to this issue.
grep CONFIG_KEXEC_PURGATORY_SKIP_SIG ~/.config/linux-xanmod/myconfig 9:scripts/config --disable CONFIG_KEXEC_PURGATORY_SKIP_SIG
grep CONFIG_KEXEC_PURGATORY_SKIP_SIG ~/.cache/yay/linux-xanmod/config.last 509:# CONFIG_KEXEC_PURGATORY_SKIP_SIG is not set
Same issue with this option disabled, dracut/luks fail to take the secret from tpm.
Send /var/log/kern.log, syslog and dmesg > dmesg.log
from arch and xanmod 5.19.
Here's the dmesg and journalctl -b for both Arch and Xanmod 5.19.9. dmesg.arch.txt dmesg.xanmod.txt journal.arch.txt journal.xanmod.txt
Found the issue. xnamod enabled 'CONFIG_IMA' which is disabled on other kernels. Disabling 'CONFIG_IMA' fixes the issue for me.