Bug 49922

Summary: Consider to add TPM2 and FIDO2 security devices suport for systemd.
Product: Branch p10 Reporter: Constantin <constacalm>
Component: systemdAssignee: Alexey Shabalin <shaba>
Status: NEW --- QA Contact: qa-p10 <qa-p10>
Severity: enhancement    
Priority: P5 CC: amakeenk, constacalm
Version: не указана   
Hardware: x86_64   
OS: Linux   

Description Constantin 2024-04-05 21:35:06 MSK 
It is possible to convert encrypted volume from LUKS1 to LUKS2 (but Calamares doesn't support this), using Live CD. 

It is impossible to use any of decryption factor other than password in Alt p10 platform for open LUKS2 container. 

Systemd (https://github.com/systemd/systemd/tree/v249) version 249 supports storing 
 LUKS (version 2) decryption keys directly in TPM2 module or in FIDO2 external USB device (such as Yubikey, or similar). 

I suggest that systemd in this case needs to be recompiled with TPM2 and FIDO support.

Now we have these options in systemd:

# systemd --version
systemd 249 (v249.17-alt2)
+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

# systemd-cryptenroll --tpm2-device=list
TPM2 not supported on this build.

As we can see there are no support for FIDO2 or TPM2 devices at all.

But in upstream release of systemd 249   (https://github.com/systemd/systemd/blob/v249/meson_options.txt) it has these supoort options:

...
option('libfido2', type : 'combo', choices : ['auto', 'true', 'false'],
       description : 'FIDO2 support')
option('tpm2', type : 'combo', choices : ['auto', 'true', 'false'],
       description : 'TPM2 support')

...

Consider to add support for FIDO2 and TPM2 security devices for systemd 249.
Comment 1 Alexander Makeenkov 2024-04-08 09:19:40 MSK 
# rpm -q systemd && systemd-cryptenroll --tpm2-device=list
systemd-249.17-alt2.x86_64
TPM2 not supported on this build.

В сизифе не воспроизводится:

# rpm -q systemd && systemd-cryptenroll --tpm2-device=list
systemd-254.10-alt1.x86_64
No suitable TPM2 devices found.
Comment 2 Constantin 2024-04-09 09:06:52 MSK 
In sysyphys we still can't use systemd to enroll LUKS2 keys into FIDO2 external device such as Yubikey\Rutoken MFA\Google Titan, etc:

# systemd --version
systemd 254 (254.10-alt1)
+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

As we can see, systemd in sysyphus still has no support of FIDO2 devices. Almost any modern linux distro has this support now. Moreover, many distros suggest this support in two independent ways -- with systemd (modern way) and with special luks yubikey packages (legacy way).

Btw, original bug points mainly over P10 platform, not sysyphus.