Skip to content

Release version 21 + TPM 1.2, update 6

Latest
Latest
Compare
Choose a tag to compare
@oldium oldium released this 11 Dec 01:16
· 0 commits to master since this release
v21_tpm1u6
5572ab5

Packages for Clevis v21 with TPM 1.2 implementation

New and Noteworthy:

  • Fixed early startup to allow unlocking also swap devices.
  • Allows unlocking with separate /var volume, see man clevis-encrypt-tpm1.
  • Fixed running under Debian Trixie.
  • Fedora-based distributions RPM has been synced with latest Rawhide RPM, so there are new packages clevis-pin-tpm1 and clevis-pin-pkcs11. Check installation instructions.
  • The RPM now contains a unique Vendor name (oldium), so the sticky-vendor flag can be used to prevent unwanted Clevis updates.

Debian

Debian Installation Instructions

Version pinning

Version pinning instructions

The package installation is controlled by their priority. To fix clevis packages to tpm1 version, create a file /etc/apt/preferences.d/clevis-pin with the following content:

/etc/apt/preferences.d/clevis-pin:

Package: clevis*
Pin: version *tpm1*
Pin-Priority: 1001

Debian 12 (bookworm)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("deb12|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u6+deb12_amd64.deb ./clevis-systemd_21-1+tpm1u6+deb12_amd64.deb ./clevis-tpm1_21-1+tpm1u6+deb12_amd64.deb ./clevis-luks_21-1+tpm1u6+deb12_amd64.deb ./clevis_21-1+tpm1u6+deb12_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u6+deb12_amd64.deb ./clevis-systemd_21-1+tpm1u6+deb12_amd64.deb ./clevis-tpm1_21-1+tpm1u6+deb12_amd64.deb ./clevis-luks_21-1+tpm1u6+deb12_amd64.deb ./clevis_21-1+tpm1u6+deb12_amd64.deb

Debian 11 (bullseye)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("deb11|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u6+deb11_amd64.deb ./clevis-systemd_21-1+tpm1u6+deb11_amd64.deb ./clevis-tpm1_21-1+tpm1u6+deb11_amd64.deb ./clevis-luks_21-1+tpm1u6+deb11_amd64.deb ./clevis_21-1+tpm1u6+deb11_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u6+deb11_amd64.deb ./clevis-systemd_21-1+tpm1u6+deb11_amd64.deb ./clevis-tpm1_21-1+tpm1u6+deb11_amd64.deb ./clevis-luks_21-1+tpm1u6+deb11_amd64.deb ./clevis_21-1+tpm1u6+deb11_amd64.deb

Ubuntu

Ubuntu Installation Instructions

Version pinning

Version pinning instructions

The package installation is controlled by their priority. To fix clevis packages to tpm1 version, create a file /etc/apt/preferences.d/clevis-pin with the following content:

/etc/apt/preferences.d/clevis-pin:

Package: clevis*
Pin: version *tpm1*
Pin-Priority: 1001

Ubuntu 24.10 (Oracular Oriole)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("ubuntu24.10|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis-systemd_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis-tpm1_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis-luks_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis_21-1+tpm1u6+ubuntu24.10_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis-systemd_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis-tpm1_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis-luks_21-1+tpm1u6+ubuntu24.10_amd64.deb ./clevis_21-1+tpm1u6+ubuntu24.10_amd64.deb

Ubuntu 24.04 (Noble Numbat)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("ubuntu24.04|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis-systemd_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis-tpm1_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis-luks_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis_21-1+tpm1u6+ubuntu24.04_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis-systemd_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis-tpm1_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis-luks_21-1+tpm1u6+ubuntu24.04_amd64.deb ./clevis_21-1+tpm1u6+ubuntu24.04_amd64.deb

Fedora

Fedora Installation Instructions

Version lock for DNF4

Version lock for DNF4 instructions

The versionlock plugin is used to prevent upgrades to normal clevis version.

sudo dnf install 'dnf-command(versionlock)'
sudo dnf versionlock add --raw "clevis-*.tpm1*"
sudo dnf versionlock add --raw "clevis-pin-tpm2"

Sticky vendors for DNF5

Sticky vendors for DNF5 instructions

The versionlock plugin is built-in in DNF5, but configuration does not allow the same flexibility as in DNF4 case. The RPM contains a unique Vendor (oldium), so the sticky-vendor feature can be used to prevent unwanted Clevis updates. The following change to the /etc/dnf/dnf.conf file is necessary:

/etc/dnf/dnf.conf:

[main]
allow_vendor_change = no

Fedora 42 (Rawhide)

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("fc42"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u6.fc42.x86_64.rpm ./clevis-dracut-21-1.tpm1u6.fc42.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u6.fc42.x86_64.rpm ./clevis-luks-21-1.tpm1u6.fc42.x86_64.rpm ./clevis-systemd-21-1.tpm1u6.fc42.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Fedora 41

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("fc41"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u6.fc41.x86_64.rpm ./clevis-dracut-21-1.tpm1u6.fc41.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u6.fc41.x86_64.rpm ./clevis-luks-21-1.tpm1u6.fc41.x86_64.rpm ./clevis-systemd-21-1.tpm1u6.fc41.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Fedora 40

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("fc40"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u6.fc40.x86_64.rpm ./clevis-dracut-21-1.tpm1u6.fc40.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u6.fc40.x86_64.rpm ./clevis-luks-21-1.tpm1u6.fc40.x86_64.rpm ./clevis-systemd-21-1.tpm1u6.fc40.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Fedora 39

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("fc39"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u6.fc39.x86_64.rpm ./clevis-dracut-21-1.tpm1u6.fc39.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u6.fc39.x86_64.rpm ./clevis-luks-21-1.tpm1u6.fc39.x86_64.rpm ./clevis-systemd-21-1.tpm1u6.fc39.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

CentOS Stream

CentOS Stream Installation Instructions

📝 Note: Installation of Trousers and tpm-tools requires EPEL repository.

Version lock for DNF4

Version lock for DNF4 instructions

The versionlock plugin is used to prevent upgrades to normal clevis version.

sudo dnf install 'dnf-command(versionlock)'
sudo dnf versionlock add --raw "clevis-*.tpm1*"
sudo dnf versionlock add --raw "clevis-pin-tpm2"

CentOS Stream 9

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u6 | jq -r '.assets[].browser_download_url | select(test("el9"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u6.el9.x86_64.rpm ./clevis-dracut-21-1.tpm1u6.el9.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u6.el9.x86_64.rpm ./clevis-luks-21-1.tpm1u6.el9.x86_64.rpm ./clevis-systemd-21-1.tpm1u6.el9.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Full Changelog: v21...v21_tpm1u6

Assets 130
Loading