TPM2 LUKS Unlock not working

I tried this guide to enable tpm2 unlock but it didn’t work for me.
I also searched the forum for other tpm2 post but wasn’t able to find a solution.
configuration.nix, hardware-configuration.nix, secure-boot.nix
The command I used to enroll was:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1ps

Relevant sections:

  boot.initrd.availableKernelModules = [ "tpm_tis" "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  boot.initrd.systemd.enable = true;
  boot.initrd.systemd.enableTpm2 = true;
  security.tpm2.enable = true;

{ pkgs, lib, ... }:

{
  environment.systemPackages = with pkgs; [
    # For debugging and troubleshooting Secure Boot.
    sbctl
    # This is needed to auto-unlock LUKS with TPM 2 - https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2
    tpm2-tss
  ];

  boot = {
    loader = {
      # Lanzaboote currently replaces the systemd-boot module.
      # This setting is usually set to true in configuration.nix
      # generated at installation time. So we force it to false
      # for now.
      systemd-boot.enable = lib.mkForce false;
      efi.canTouchEfiVariables = true;
      timeout = 1;
    };

    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
    };

    # This is needed to auto-unlock LUKS with TPM 2 - https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2
    initrd.systemd.enable = true;

  };
}

Hi,

not an expert, but this worked for me:

  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.efiSysMountPoint = "/boot";
  boot.loader.efi.canTouchEfiVariables = true;
  boot.initrd.systemd.enable = true;

  boot.initrd.luks.devices = {
    cryptroot = {
       device = "/dev/disk/by-partuuid/${partitionuuid}";
       allowDiscards = true; # Used if primary device is a SSD
       preLVM = true;
    };
  };

  environment.systemPackages = with pkgs; [
    sbctl
    tpm2-tools
    tpm2-tss
  ];

Maybe avoid lanzaboote?

Regards

1 Like

FYI to both of you, nothing in environment.systemPackages has anything to do with TPM2 disk unlocking. And @FStefanni lanzaboote should be just fine with the TPM2, and preLVM has no effect with systemd-initrd.

I helped someone diagnose why their system stopped working with TPM2 auto-unlocking last night, and I believe we’ve identified a NixOS bug that’s appeared recently. I’m going to be opening a PR with a fix, a bit of code cleanup, and some improved documentation here very soon.

In the meantime, the other person’s fix was to include some new systemd dependencies. This is what I’ll be upstreaming to NixOS in the next day hopefully.

boot.initrd.systemd = {
  additionalUpstreamUnits = [ "systemd-tpm2-setup-early.service" ];
  storePaths = [
    "${config.boot.initrd.systemd.package}/lib/systemd/systemd-tpm2-setup"
    "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-tpm2-generator"
  ];
};
3 Likes

Thank you, this solved my issue.

@ElvishJerricco Can you please link here the PR or the Issue? Also how do you debug these issues? Sorry for dummy question, but how can I obtain logs from initrd systemd?

Just wanted to say thanks, this line was what did the trick for me. The only other things I did earlier were 1) systemd-cryptenroll command from above and 2) add crypttabExtraOpts = [ "tpm2-device=auto" ]; in Disko. I have removed all the other tpm2* related settings (incl. kernel modules and packages) from configuration.nix, and it still works now!

2 Likes