#27 Upgrade systemd to minimum 248 and support LUKS with TPM2, FIDO2 and PKCS#11 Security
Closed: Completed 2 years ago by lkocman. Opened 2 years ago by olivpass.

Thank you Oliver, we'll go through this request on our Monday review meeting https://en.opensuse.org/Feature_Planning_15.4#Feature_review_meeting

The current plan is to update systemd to at least 249. This has already been approved by Product Management and, we're waiting on TPM.

Metadata Update from @lkocman:
- Custom field SUSE Jira adjusted to https://jira.suse.com/browse/OPENSUSE-48
- Issue assigned to lkocman
- Issue set to the milestone: 15.4
- Issue tagged with: SLE, SLE-Accept-Pending

2 years ago

i have also filed this as features for SLES 15 SP4 in parallel

systemd 249 has been submitted and accepted in SUSE:SLE-15-SP4:GA. Moving to done.

Metadata Update from @lkocman:
- Issue untagged with: SLE-Accept-Pending
- Issue tagged with: SLE-Accepted

2 years ago

Metadata Update from @lkocman:
- Custom field SUSE Jira reset (from https://jira.suse.com/browse/OPENSUSE-48)
- Issue close_status updated to: Completed
- Issue status updated to: Closed (was: Open)

2 years ago

for your Information openSUSE 15.4 Beta LUKS with TPM2 is working:

check for LUKS2:

cryptsetup luksDump /dev/disk/by-uuid/c6b66364-f929-4497-bc67-4bb07dc04ec5 | grep -A1 "^LUKS"
LUKS header information
Version:       2


# zypper in tpm2.0-tools
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/disk/by-uuid/$UUID
Please enter current passphrase for disk /dev/disk/by-uuid/c6b66364-f929-4497-bc67-4bb07dc04ec5: **************          
New TPM2 token enrolled as key slot 1.
# cat /etc/crypttab 
cr_nvme-KXG70PNV2T04_NVMe_KIOXIA_2048GB_81KC30AJEN34-part3  UUID=c6b66364-f929-4497-bc67-4bb07dc04ec5  none  x-initrd.attach,tpm2-device=auto
# mkinitrd

reboot and check:

# journalctl -u systemd-cryptsetup@cr_nvme\\x2dKXG70PNV2T04_NVMe_KIOXIA_2048GB_81KC30AJEN34\\x2dpart3.service
-- Boot 0945d3e792ad4b5684f23d77bd8c182d --
... systemd[1]: Starting Cryptography Setup for cr_nvme-KXG70PNV2T04_NVMe_KIOXIA_2048GB_81KC30AJEN34-part3...
... systemd-cryptsetup[676]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/c6b66364-f929-4497-bc67-4bb07dc04ec5.
... systemd-cryptsetup[676]: Automatically discovered security TPM2 token unlocks volume.

Thank you for supporting this.

Login to comment on this ticket.