Handle multiple rd.luks.name parameters

[ht990332]

my systemd-boot file.

title Arch Linux
linux /vmlinuz-linux-lts
initrd /intel-ucode.img
initrd /booster-lts.img
options rd.luks.name=ab6d7d78-b816-4495-928d-766d6607035e=root rd.luks.name=7843d77f-cdd6-4289-a4de-a708c4aacede=swap rd.luks.name=7f28c723-fd6b-4640-bc94-9366edd8880d=cache root=UUID=e8e81fc3-8f81-4a3a-ac3d-aab36aa0c45f video=efifb:on add_efi_memmap zswap.enabled=1 zswap.max_pool_percent=100 zswap.zpool=z3fold resume=/dev/mapper/swap acpi=copy_dsdt rd.luks.options=tpm2-device=auto

I get unknown value in rd.luks.options=tpm2-device=auto.

[anatol]

See man booster it does not support tpm2-device=auto option. Instead booster tries to detect a TPM2 device automatically.

[ht990332]

Thank you. I booted without that and with booster.debug=1. It is now stalling

[anatol]

I do not see the image content unfortunately.

But if you use ZFS for the root partition then it won't work due to #33

[ht990332]

I use ext4.

[ht990332]

https://imgur.com/a/mSPVVIx

[anatol]

Booster expects partition with UUID=e8e81fc3-8f81-4a3a-ac3d-aab36aa0c45f. But per your screenshot there is no such partition. Hence the boot process stuck.

[anatol]

And also booster was able to unlock the partition using systemd-tpm2 token.

[ht990332]

If I boot with the mkinitcpio initramfs image,

 blkid /dev/mapper/root 
/dev/mapper/root: LABEL="root" UUID="e8e81fc3-8f81-4a3a-ac3d-aab36aa0c45f" BLOCK_SIZE="4096" TYPE="ext4"

[ht990332]

dm-2 which is /dev/mapper/root is the root partition.
Is it only creating dm-0 and stopping there?

[anatol]

I do not have the full log but per the image above it unlocks at least 2 devices.

What is the output of lsblk at your booted machine?

[ht990332]

$ lsblk
NAME      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda         8:0    0 931.5G  0 disk  
├─sda1      8:1    0   512M  0 part  /boot
├─sda2      8:2    0    32G  0 part  
│ └─swap  254:1    0    32G  0 crypt [SWAP]
└─sda3      8:3    0   899G  0 part  
  └─root  254:2    0   899G  0 crypt /
sdb         8:16   0 931.5G  0 disk  
└─sdb1      8:17   0 931.5G  0 part  
  └─cache 254:0    0 931.5G  0 crypt /home/hussam/cache
sr0        11:0    1  1024M  0 rom   

[anatol]

I taking my words back. Only 1 luks partition is unlocked here. It comes from the fact that booster currently processes only 1 rd.luks.name parameter. This needs to be fixed.

[anatol]

I pushed a proposed fix to wip branch. Please try it and let me know if it works for you as expected.

[ht990332]

Hi. I just tried the WIP branch. All partitions are unlocked. However, I see two more issues:

• It says Enter the password for cache but then uses tpm.
• root device does not get fscked. This is bad in my scenario. I think this is a different issue though. Should I open a new bug? probably fsck binary not in booster image?

[anatol]

root device does not get fscked

This needs to be enabled explicitly. See man booster:

adding  fsck  enables  boot time filesystem check. It also requires
filesystem specific binary called fsck.$rootfstype to be  added  to
the  image. Filesystems are corrected automatically and if it fails
then boot stops and it is responsibility of the  user  to  fix  the
root filesystem.

[anatol]

It says Enter the password for cache but then uses tpm.

In case if a partition has multiple key slots then booster tries them all. So it asks the user for a password and at the same time tries to connect TPM. Booster uses any slot that gets unlocked first.

It looks like you have 2 slots - one with tpm2 token and another one with a regular password. You can get more info about it with sudo cryptsetup luksDump $YOURDEVICE.

[anatol]

Also note that there is no need to unlock all the partition at initrd stage. Usually only root partition is unlocked here and the rest of the partitions (cache/whatever/..) gets handled by systemd inside the userspace image.

[ht990332]

In my case, root and swap need to be unlocked early on so I can get hibernate/resume working.

[anatol]

got it. if encrypted swap is used for hibernation then yes, it needs to be unlocked in initrd.

[ht990332]

Ideally, there is always one password other than the tpm2 token. Even when creating the tpm2 token, I am asked for an existing password. It also means I can access the disk from chroot.
Can the attempts be serialized by priority since rd.luks.options=tpm2-device=auto is not a valid option?

[anatol]

Currently there is no such option. In the future I want to add slot-id and token-id boot parameters to filter out slots we need. See #105

[ht990332]

I'm not an expert on luks but doesn't this indicate that only devices with no tokens will be checked with passwords?

	var checkSlotsWithPassword []int
	for _, s := range d.Slots() {
		if !slotsWithTokens[s] {
			// only slots that do not have tokens will be checked with keyboard password
			checkSlotsWithPassword = append(checkSlotsWithPassword, s)
		}
	}

[anatol]

It is correct - only slots that have no tokens or have systemd-recovery token type will ask user for a keyboard password. Other slots will use password recovered from the token.

[ht990332]

But doesn't mine have a tpm2 token and should therefore skip password prompts? Or have I not understood something?

[anatol]

Most likely you have multiple slots. Run sudo cryptsetup luksDump $YOURDEVICE to verify it.

[ht990332]

Yes. Each partition has slot 0 and slot 1.
Are you on IRC or matrix? I have some more LUKS questions and I don't want to spam the bug report.

[ht990332]

Most likely you have multiple slots. Run sudo cryptsetup luksDump $YOURDEVICE to verify it.

Ok, regarding this, I have:

Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Tokens:
0: systemd-tpm2
Keyslot: 1

So a token will correspond to a keyslot.
There is always going to be at least one keyslot then.
You can have one keyslot that is a passphrase, one keyslot that is a tpm2 token, two keyslots where each is one type and so on.
I think the check in #124 (comment) may be wrong then.

[anatol]

I enabled discussion page for this project. Please ask your questions there https://github.com/anatol/booster/discussions