Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Boot Failure After Customizing Flatcar Image with LUKS-Encrypted Root Partition #1623

Open
Ghanshyam-Varun opened this issue Jan 28, 2025 · 0 comments
Open

Boot Failure After Customizing Flatcar Image with LUKS-Encrypted Root Partition #1623

Ghanshyam-Varun opened this issue Jan 28, 2025 · 0 comments
Labels
kind/feature A feature request

Comments

@Ghanshyam-Varun
Copy link

Ghanshyam-Varun commented Jan 28, 2025
edited
Loading

Current situation

I am customizing the official Flatcar image to integrate our components and encrypting the root partition using LUKS. The root partition is mounted on a separate system, and I’ve configured crypttab and fstab for automatic decryption during boot. However, the system fails to boot, and I observe the following errors during boot time:

Image

Steps to Reproduce

  1. Convert the Flatcar QEMU image to a raw disk image:
    qemu-img convert -O raw flatcar_production_qemu_image.img flatcar.raw

  2. Set up the loop device and encrypt the root partition:

loopdev=$(losetup -f)
losetup $loopdev flatcar.raw
kpartx -av ${loopdev}
root_device=/dev/mapper/$(basename ${loopdev})p9
cryptsetup luksFormat --type luks2 $root_device
cryptsetup open $root_device cryptdisk
mkfs.ext4 /dev/mapper/cryptdisk
  1. Mount the root partition and add custom components:
mount $root_device /mnt/root
# Add custom components to /mnt/root
  1. Configure crypttab and fstab:
root_part_uuid=$(cryptsetup luksUUID $root_device)
echo "cryptdisk UUID=$root_part_uuid None luks" > /mnt/root/etc/crypttab
echo "/dev/mapper/cryptdisk   /       ext4    defaults        0       1" > /mnt/root/etc/fstab
  1. Unmount and close the encrypted partition:
umount /mnt/root
cryptsetup close cryptdisk
kpartx -dv $loopdev
losetup -d $loopdev
  1. Boot the system and observe the failure.

After looking into code found that at boot time following things happen:
https://github.com/flatcar/bootengine/blob/flatcar-master/dracut/31decrypt-root/decrypt-root.service

  1. During boot, systemd-cryptsetup reads this configuration line.
  2. It identifies the encrypted partition at /dev/disk/by-partlabel/ROOT.
  3. Instead of prompting for a password or using a key file, it uses the TPM2 chip to automatically unlock the partition.
  4. Once decrypted, the partition is made available at /dev/mapper/rootencrypted.

Impact

The system must have a TPM2 chip, and it must be properly configured and enabled in the BIOS/UEFI. If the TPM2 chip is missing or misconfigured, the partition will not be decrypted.

Ideal future situation

It should support manual password entry or a key from disk during boot time.

Implementation options

This needs to be modified to allow other methods to decrypt the ROOT partition =>dracut/31decrypt-root/decrypt-root.service/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature A feature request
Projects
Flatcar tactical, release planning, and roadmap
Status: 📝 Needs Triage
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ghanshyam-Varun