Debian 11 - no autoboot after kernel upgrade
eglyn opened this issue · 4 comments
Hi all,
Clevis works find on my Debian 11 with kernel 5.10 and TPM2, I just installed:
clevis, clevis-tpm2, clevis-luks, clevis-initramfs
and launch this command: clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"10,11"}'
and everything was fine.
But I had to upgrade kernel for drivers issue ( --> kernel 6.1), and now, unlock does not work anymore :/
I try to follow all the procedure again, but it did not work :(
Any idea ?
Try to re-key the slot. PCR 11 extends the kernel image.
I try this:
clevis luks unbind -d /dev/nvme0n1p3 -s 1 tpm2
clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"0,1,2,3,4,5,6,7"}'
But it does not work :'(
the command: clevis luks list -d /dev/nvme0n1p3 tpm2 says:
1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,6,7"}'
Everything seems ok, but autoboot does not work :'(
- Make sure you are binding to meaningful set of PCRs, check
sudo tpm2_pcrreadbefore and after reboot. - Do a test bind:
sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha1","pcr_ids":"0"}' - Confirm there is a 2nd LUKS keyslot:
sudo cryptsetup luksDump /dev/nvme0n1p3 - Reboot, regenerate the binding:
sudo clevis luks regen -d /dev/nvme0n1p3 -s 1 - Test that Clevis can unlock the disk:
sudo clevis luks pass -d /dev/nvme0n1p3 -s 1 - Reboot again and see if LUKS is unlocked automatically.
I tried:
1: ok, but for my laptop I have only sha256, no sha1
2: I changed sha1 --> sha256: OK
3: There is a second keyslot for clevis.
4. After the reboot, auto unlock worked... but I have to wait about 10s before the key autocompletion...
The main difference I see with the old kernel, is that I have some warning firmware and error firmware (not corrected by Intel for now, i915) before the prompt asking the key. Maybe I have a temporisation issue ?