partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
Hi,
I've been hacking on adding support for systemd-cryptenroll(1) style keys to partman-crypto.
I have a rough proof-of-concept [1] which I've tested in QEMU with an emulated TPM2 device. It has some rough edges, but it basically works.
My first version relied on systemd-cryptsetup udebs, but that approach was:
a) cumbersome, since systemd-cryptsetup udebs would require quite a lot of .udebs for dependencies
b) not to the systemd maintainers liking [2] (not complaining, I understand the rationale)
This version does the systemd-cryptenroll dance in the finish-install stage, using systemd-cryptenroll in /target, and a small binary which speaks the systemd "password agent" protocol, and hands the prompts over to debconf.
It also forcefully replaces initramfs-tools with dracut (since only dracut supports systemd-cryptenroll style keys). This might be less extreme than it sounds if dracut becomes the standard initramfs tool post-Trixie [4].
Before I spend any more time on this, I'd like to know if this is something which could be acceptable in debian-installer or if I should shelve this little project?
Cheers,
David
[1] https://salsa.debian.org/Alphix/partman-crypto/-/tree/systemd-cryptenroll?ref_type=heads
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110431
[3] https://systemd.io/PASSWORD_AGENTS/
[4] https://salsa.debian.org/kernel-team/meetings/-/wikis/20250730
Reply to: