Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

profiles: Enable TPM2 support in systemd #1756

Merged
merged 2 commits into from
Mar 27, 2024
Merged

profiles: Enable TPM2 support in systemd #1756

merged 2 commits into from
Mar 27, 2024

Conversation

pothos
Copy link
Member

@pothos pothos commented Mar 15, 2024

We could use systemd-cryptenroll and cryptsetup with a TPM device but so far the support was not compiled in.
Enable the use flags for TPM2 support in systemd.

How to use

Testing done

systemd-cryptenroll works with a tpm but so far I didn't manage to make the systemd-cryptsetup generator unlock with a TPM

@ader1990 ader1990 self-assigned this Mar 19, 2024
@ader1990
Copy link
Contributor

There is a cyclical dep between the app-crypt/tpm-tss and virtual/tmpfiles and systemd. Need to see how to break it somehow:


  * Error: circular dependencies:
 
 (app-crypt/tpm2-tss-4.0.1:0/4::portage-stable, ebuild scheduled for merge to '/build/amd64-usr/') depends on
  (virtual/tmpfiles-0-r5:0/0::portage-stable, ebuild scheduled for merge to '/build/amd64-usr/') (runtime)
   (sys-apps/systemd-255.3:0/2::coreos, ebuild scheduled for merge to '/build/amd64-usr/') (runtime)
    (app-crypt/tpm2-tss-4.0.1:0/4::portage-stable, ebuild scheduled for merge to '/build/amd64-usr/') (buildtime_slot_op)

Copy link

github-actions bot commented Mar 19, 2024

Build action triggered: https://github.com/flatcar/scripts/actions/runs/8418960061

@pothos
Copy link
Member Author

pothos commented Mar 22, 2024

One way could be using TMPFILES_OPTIONAL=1 in tpm2-tss, the other could be to add an entry in the break_dep_loop list in build_packages (Edit: Trying the break_dep_loop now)

We could use systemd-cryptenroll and cryptsetup with a TPM device but
so far the support was not compiled in.
Enable the use flags for TPM2 support in systemd.
@ader1990
Copy link
Contributor

As Flatcar always uses systemd, we can make this package purely virtual to just flag the usage of the tmpfiles eclass. This can be done by removing the systemd dependency. Might be useful in the future to not have this kind of dependency breaking hacks for other packages too.

@pothos pothos merged commit 0fa005d into main Mar 27, 2024
1 check failed
@pothos pothos deleted the kai/systemd-tpm2 branch March 27, 2024 09:20
pothos added a commit that referenced this pull request Mar 27, 2024
profiles: Enable TPM2 support in systemd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants