This page describes the possibilitys:
http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
Thank you Oliver, we'll go through this request on our Monday review meeting https://en.opensuse.org/Feature_Planning_15.4#Feature_review_meeting
The current plan is to update systemd to at least 249. This has already been approved by Product Management and, we're waiting on TPM.
Metadata Update from @lkocman: - Custom field SUSE Jira adjusted to https://jira.suse.com/browse/OPENSUSE-48 - Issue assigned to lkocman - Issue set to the milestone: 15.4 - Issue tagged with: SLE, SLE-Accept-Pending
i have also filed this as features for SLES 15 SP4 in parallel
systemd 249 has been submitted and accepted in SUSE:SLE-15-SP4:GA. Moving to done.
Metadata Update from @lkocman: - Issue untagged with: SLE-Accept-Pending - Issue tagged with: SLE-Accepted
Metadata Update from @lkocman: - Custom field SUSE Jira reset (from https://jira.suse.com/browse/OPENSUSE-48) - Issue close_status updated to: Completed - Issue status updated to: Closed (was: Open)
for your Information openSUSE 15.4 Beta LUKS with TPM2 is working:
check for LUKS2:
cryptsetup luksDump /dev/disk/by-uuid/c6b66364-f929-4497-bc67-4bb07dc04ec5 | grep -A1 "^LUKS" LUKS header information Version: 2
aktivate:
# zypper in tpm2.0-tools # systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/disk/by-uuid/$UUID Please enter current passphrase for disk /dev/disk/by-uuid/c6b66364-f929-4497-bc67-4bb07dc04ec5: ************** New TPM2 token enrolled as key slot 1. # cat /etc/crypttab cr_nvme-KXG70PNV2T04_NVMe_KIOXIA_2048GB_81KC30AJEN34-part3 UUID=c6b66364-f929-4497-bc67-4bb07dc04ec5 none x-initrd.attach,tpm2-device=auto # mkinitrd
reboot and check:
# journalctl -u systemd-cryptsetup@cr_nvme\\x2dKXG70PNV2T04_NVMe_KIOXIA_2048GB_81KC30AJEN34\\x2dpart3.service -- Boot 0945d3e792ad4b5684f23d77bd8c182d -- ... systemd[1]: Starting Cryptography Setup for cr_nvme-KXG70PNV2T04_NVMe_KIOXIA_2048GB_81KC30AJEN34-part3... ... systemd-cryptsetup[676]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/c6b66364-f929-4497-bc67-4bb07dc04ec5. ... systemd-cryptsetup[676]: Automatically discovered security TPM2 token unlocks volume.
Thank you for supporting this. Oliver
Login to comment on this ticket.