Tpm2 boot: still being asked for a passphrase

I am trying to configure systemd, so it uses tpm2 to unlock the boot partition. The partition has two keys configured – passphrase and tpm2. However, at boot it still asks for the passphrase.

Here is the relevant boot config:

  boot = {
    loader.systemd-boot.enable = true;
    initrd = {
      availableKernelModules = ["tpm_tis"];
      systemd = {
        enableTpm2 = true;
        emergencyAccess = true;
      };
      luks.devices = {
        luksroot = {
          device = "${nvme}-part3";
          allowDiscards = true;
          crypttabExtraOpts = ["tpm2-device=auto"];
        };
      };
    };
  };

The key was added like this:

$ systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p3 --tpm2-pcrs=0+1+2+3+7
<...>
$ sudo systemd-cryptenroll /dev/nvme0n1p3 
SLOT TYPE    
   0 password
   1 tpm2

I can attach the device using TPM2 key successfully, this works as expected:

$ systemd-cryptsetup attach foo /dev/nvme0n1p3 - tmp-device=auto

TPM2 is loaded:

$ sudo journalctl -k --grep=tpm
Jul 16 05:23:12 mtworx kernel: efi: ACPI=0x5a2fe000 ACPI 2.0=0x5a2fe014 TPMFinalLog=0x5a1ae000 SMBIOS=0x5c97e000 SMBIOS 3.0=0x5c971000 MEMATTR=0x8979a018 ESRT>
Jul 16 05:23:12 mtworx kernel: ACPI: SSDT 0x000000005C963000 00060E (v02 LENOVO Tpm2Tabl 00001000 INTL 20200717)
Jul 16 05:23:12 mtworx kernel: ACPI: TPM2 0x000000005C962000 00004C (v04 LENOVO TP-N3X   00001250 PTEC 00000002)
Jul 16 05:23:12 mtworx kernel: ACPI: Reserving TPM2 table memory at [mem 0x5c962000-0x5c96204b]
Jul 16 05:23:12 mtworx kernel: tpm_tis NTC0702:00: 2.0 TPM (device-id 0xFC, rev-id 1)

Why is it still asking for the passphrase at boot, how can I make it boot without one?

Hi,
Did you ever solve this? I’m running into the exact same issue now on my fresh install. Everything looks okay based on what I know from running auto-unlock on Arch, but I’m getting prompted for the password each boot.

I have secureboot running through lanzaboote.

$ sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	7a0f7575-d4ca-45ba-a96b-2828c2c49b61
Setup Mode:	✓ Disabled
Secure Boot:	✓ Enabled
Vendor Keys:	none

And the key is enrolled with the correct PCR value, because re-enrolling it fails.

# systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto /dev/nvme0n1p2
🔐 Please enter current passphrase for disk /dev/nvme0n1p2:
This PCR set is already enrolled, executing no operation.

It’s the NixOS specific parts I’m unsure about, but I followed a guide I found here Secure Boot & TPM-backed Full Disk Encryption on NixOS · Jon Seager

I didn’t :frowning:

In the interim I stuck a usb stick with the passkey until I get this sorted.

Do you two actually have boot.initrd.systemd.enable enabled? That’s a prerequisite.

Otherwise, you might be hitting “Dictionary Attack Lockout”, where the TPM will lock you out for a period of time if decryption fails too many times (like if you had it misconfigured while experimenting). You’d want to check journalctl -b 0 -u 'systemd-cryptsetup@*' for error messages, and you might need to set systemd.log_level=debug in the kernel params to see anything particularly useful.

1 Like

Thank you, that was it! :partying_face: