support for opening LUKS volumes with TPM2 (!39) · Merge requests · Debian Cryptsetup Team / cryptsetup

Armin Felder requested to merge armin.felder/cryptsetup:feature/TPM2 into debian/latest Jun 02, 2024

adds support for tpm2-device crypttab option
adds systemd-tpm2 cryptsetup token plugin to initramfs

solves https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031254

tested, with libvirt and swtpm, by using:

domain config:

  <os firmware="efi">
    <type arch="x86_64" machine="pc-q35-8.2">hvm</type>
    <firmware>
      <feature enabled="yes" name="enrolled-keys"/>
      <feature enabled="yes" name="secure-boot"/>
    </firmware>
    <loader readonly="yes" secure="yes" type="pflash">/usr/share/OVMF/OVMF_CODE_4M.ms.fd</loader>
    <nvram template="/usr/share/OVMF/OVMF_VARS_4M.ms.fd">/var/lib/libvirt/qemu/nvram/debian_crypt_test_VARS.fd</nvram>
  </os>

<devices>
    <tpm model="tpm-tis">
      <backend type="emulator" version="2.0"/>
    </tpm>
    ...
</devices>

crypttab:

rootfs UUID=xxxxxxxx none tpm-device=auto

Edited Jun 02, 2024 by Armin Felder

support for opening LUKS volumes with TPM2

Merge request reports