I’ve set up a fresh NixOS installation using LVM on top of LUKS, and am trying to get the system to unlock the root volume without a password prompt using my system’s TPM2 module. I’ve been using the instructions in the comment here. Unfortunately this seems to result in an unbootable system - see the errors in the attached screenshot.
The relevant parts of my nixos configuration are:
boot.initrd.availableKernelModules = [ "vmd" "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.initrd.systemd.enable = true;
boot.initrd.systemd.enableTpm2 = true;
security.tpm2.enable = true;
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices.cryptlvm = {
device = "/dev/disk/by-uuid/47d8a0a2-900d-45c0-ae63-026238a14601";
preLVM = true; # luksOpen will be attempted before LVM scan
};
fileSystems."/" =
{ device = "/dev/WD770VolGroup/root";
#fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D840-BDB1";
fsType = "vfat";
};
The TPM key does seem to be registered on the disk:
richard@osaka ~ % sudo systemd-cryptenroll /dev/disk/by-uuid/47d8a0a2-900d-45c0-ae63-026238a14601
SLOT TYPE
0 password
1 tpm2
If I disable boot.initrd.systemd the system boots again, but prompts for the password. I was wondering if someone more knowledgeable than me might know why my configuration isn’t working.