Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

profiles: Enable TPM2 support in systemd #1756

Merged
merged 2 commits into from
Mar 27, 2024
Merged

profiles: Enable TPM2 support in systemd #1756

merged 2 commits into from
Mar 27, 2024

Conversation

pothos
Copy link
Member

@pothos pothos commented Mar 15, 2024
edited
Loading

We could use systemd-cryptenroll and cryptsetup with a TPM device but so far the support was not compiled in.
Enable the use flags for TPM2 support in systemd.

How to use

Testing done

systemd-cryptenroll works with a tpm but so far I didn't manage to make the systemd-cryptsetup generator unlock with a TPM

@ader1990 ader1990 self-assigned this Mar 19, 2024
@ader1990
Copy link
Contributor

There is a cyclical dep between the app-crypt/tpm-tss and virtual/tmpfiles and systemd. Need to see how to break it somehow:


  * Error: circular dependencies:
 
 (app-crypt/tpm2-tss-4.0.1:0/4::portage-stable, ebuild scheduled for merge to '/build/amd64-usr/') depends on
  (virtual/tmpfiles-0-r5:0/0::portage-stable, ebuild scheduled for merge to '/build/amd64-usr/') (runtime)
   (sys-apps/systemd-255.3:0/2::coreos, ebuild scheduled for merge to '/build/amd64-usr/') (runtime)
    (app-crypt/tpm2-tss-4.0.1:0/4::portage-stable, ebuild scheduled for merge to '/build/amd64-usr/') (buildtime_slot_op)

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 19, 2024
edited
Loading

Build action triggered: https://github.com/flatcar/scripts/actions/runs/8418960061

@github-actions github-actions bot mentioned this pull request Mar 22, 2024
Closed
@pothos
Copy link
Member Author

pothos commented Mar 22, 2024
edited
Loading

One way could be using TMPFILES_OPTIONAL=1 in tpm2-tss, the other could be to add an entry in the break_dep_loop list in build_packages (Edit: Trying the break_dep_loop now)

@pothos
profiles: Enable TPM2 support in systemd
7c4529d 
We could use systemd-cryptenroll and cryptsetup with a TPM device but
so far the support was not compiled in.
Enable the use flags for TPM2 support in systemd.
@pothos pothos force-pushed the kai/systemd-tpm2 branch from f49462c to 7c4529d Compare March 22, 2024 08:11
@ader1990
Copy link
Contributor

As Flatcar always uses systemd, we can make this package purely virtual to just flag the usage of the tmpfiles eclass. This can be done by removing the systemd dependency. Might be useful in the future to not have this kind of dependency breaking hacks for other packages too.

@pothos pothos merged commit 0fa005d into main Mar 27, 2024
1 check failed
@pothos pothos deleted the kai/systemd-tpm2 branch March 27, 2024 09:20
pothos added a commit that referenced this pull request Mar 27, 2024
@pothos
Merge pull request #1756 from flatcar/scripts
5a14eb4 
profiles: Enable TPM2 support in systemd
@github-actions github-actions bot mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ader1990 ader1990 ader1990 approved these changes

Assignees

@ader1990 ader1990

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pothos @ader1990