Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?

To: "Luca Boccassi" <bluca@debian.org>
Cc: debian-boot@lists.debian.org
Subject: Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
From: "David Härdeman" <david@hardeman.nu>
Date: Thu, 14 Aug 2025 21:08:35 +0000
Message-id: <[🔎] 8b89462e4d0daf4872e6331578e566b672b69a9e@hardeman.nu>
In-reply-to: <[🔎] 7a37ba20728f9dbae2ef26207d975cc0581e5fe1.camel@debian.org>
References: <[🔎] 7a37ba20728f9dbae2ef26207d975cc0581e5fe1.camel@debian.org>

August 14, 2025 at 4:26 PM, "Luca Boccassi" <bluca@debian.org> wrote:
> > 
> > I've been hacking on adding support for systemd-cryptenroll(1) style
> > keys to partman-crypto.
> > ...
> > It also forcefully replaces initramfs-tools with dracut (since only
> > dracut supports systemd-cryptenroll style keys).
> 
> Are you 100% sure about that? I am running prebuilt ukis these days,
> but before that I had just the normal initramfs-tools and I always used
> fido2 for luks2 unlocking. It should work, cryptsetup will load the
> plugins as long as they are installed in the initrd.

I'm not 100% sure, no. I just assumed that cryptsetup didn't support these
kinds of keys in the initramfs since it spits out warnings about unrecognised
options for e.g. "fido2-device=" cfg options in crypttab when the initramfs
is regenerated. But if it's the general consensus that systemd-cryptenroll
support is useful in debian-installer, I could certainly look into it...

If it does indeed support it, I'd still need to figure out a way to pass
the password/PIN requests from cryptsetup to debconf, like the C utility
I wrote (in the branch I linked) for the systemd-style password agent protocol.

> > 
> > https://salsa.debian.org/Alphix/partman-crypto/-/tree/systemd-cryptenroll
> > 
> 
> Please hook this up with opal too - that's just luks2 as well, so
> everything will work in exactly the same way, minus the admin password
> that still needs to be set separately

Yeah, I haven't really checked opal yet (I lack the hardware, but I could
probably do some hacks to pretend that QEMU has support), and I also need
to do testing with FIDO2/PKCS#11 "hardware"...but that's exactly the kind
of things that I'd work on if I had an indication that this kind of feature
might be accepted into d-i (no, not meant as nagging).

Another issue that I need to think more about is preseeding. Right now, it's
kind of unknowable how many/which prompts will be generated by the enrolling
process....("TPM2 PIN", "TPM2 PIN (repeat)", "Please touch your FIDO2 key
to verify user presence", PKCS#11 may or may not require a PIN, etc), which
makes it hard to come up with a sane preseed scheme.

Cheers,
David

Reply to:

Follow-Ups:
- Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
  - From: Luca Boccassi <bluca@debian.org>
- Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
  - From: "David Härdeman" <david@hardeman.nu>

References:
- Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
  - From: Luca Boccassi <bluca@debian.org>

Prev by Date: Bug#1111121: installation-reports: After install in speech synth mode, at the first login debian assistive tech are not enabled
Next by Date: Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
Previous by thread: Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
Next by thread: Re: partman-crypto: support for systemd-cryptenroll key types (TPM2/PKCS#11/FIDO2)?
Index(es):
- Date
- Thread