linux icon indicating copy to clipboard operation
linux copied to clipboard

Published 20 hours ago verified publisher icon xanmod

xanmod 5.19 breaks systemd-cryptenroll / tpm support

Open simontretter opened this issue 1 year ago • 4 comments

Both the default Arch kernels 5.18.x, 5.19.x and Xanmod 5.18.x reliably can take their LUKS secret from the tpm2 chip after it is enrolled with systemd-cryptenroll.

However Xanmod 5.19 breaks this functionality (same config as the working 5.18) with fallback on having to enter the passphrase (if there is one stored in a LUKS slot).

Not sure where to look for useful debug info.

simontretter avatar Sep 09 '22 14:09 simontretter

To confirm, could you build a kernel with CONFIG_KEXEC_PURGATORY_SKIP_SIG disabled?

xanmod avatar Sep 11 '22 03:09 xanmod

Thank you for your attention to this issue.

grep CONFIG_KEXEC_PURGATORY_SKIP_SIG ~/.config/linux-xanmod/myconfig 9:scripts/config --disable CONFIG_KEXEC_PURGATORY_SKIP_SIG

grep CONFIG_KEXEC_PURGATORY_SKIP_SIG ~/.cache/yay/linux-xanmod/config.last 509:# CONFIG_KEXEC_PURGATORY_SKIP_SIG is not set

Same issue with this option disabled, dracut/luks fail to take the secret from tpm.

simontretter avatar Sep 11 '22 09:09 simontretter

Send /var/log/kern.log, syslog and dmesg > dmesg.log from arch and xanmod 5.19.

xanmod avatar Sep 11 '22 16:09 xanmod

Here's the dmesg and journalctl -b for both Arch and Xanmod 5.19.9. dmesg.arch.txt dmesg.xanmod.txt journal.arch.txt journal.xanmod.txt

simontretter avatar Sep 19 '22 08:09 simontretter

Found the issue. xnamod enabled 'CONFIG_IMA' which is disabled on other kernels. Disabling 'CONFIG_IMA' fixes the issue for me.

simontretter avatar Oct 04 '22 12:10 simontretter