Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Boot Failure After Customizing Flatcar Image with LUKS-Encrypted Root Partition #1623

Open
Ghanshyam-Varun opened this issue Jan 28, 2025 · 0 comments
Open

Boot Failure After Customizing Flatcar Image with LUKS-Encrypted Root Partition #1623

Ghanshyam-Varun opened this issue Jan 28, 2025 · 0 comments
Labels
kind/feature A feature request

Comments

@Ghanshyam-Varun
Copy link

Ghanshyam-Varun commented Jan 28, 2025
edited
Loading

Current situation

I am customizing the official Flatcar image to integrate our components and encrypting the root partition using LUKS. The root partition is mounted on a separate system, and I’ve configured crypttab and fstab for automatic decryption during boot. However, the system fails to boot, and I observe the following errors during boot time:

Image

Steps to Reproduce

  1. Convert the Flatcar QEMU image to a raw disk image:
    qemu-img convert -O raw flatcar_production_qemu_image.img flatcar.raw

  2. Set up the loop device and encrypt the root partition:

loopdev=$(losetup -f)
losetup $loopdev flatcar.raw
kpartx -av ${loopdev}
root_device=/dev/mapper/$(basename ${loopdev})p9
cryptsetup luksFormat --type luks2 $root_device
cryptsetup open $root_device cryptdisk
mkfs.ext4 /dev/mapper/cryptdisk
  1. Mount the root partition and add custom components:
mount $root_device /mnt/root
# Add custom components to /mnt/root
  1. Configure crypttab and fstab:
root_part_uuid=$(cryptsetup luksUUID $root_device)
echo "cryptdisk UUID=$root_part_uuid None luks" > /mnt/root/etc/crypttab
echo "/dev/mapper/cryptdisk   /       ext4    defaults        0       1" > /mnt/root/etc/fstab
  1. Unmount and close the encrypted partition:
umount /mnt/root
cryptsetup close cryptdisk
kpartx -dv $loopdev
losetup -d $loopdev
  1. Boot the system and observe the failure.

After looking into code found that at boot time following things happen:
https://github.com/flatcar/bootengine/blob/flatcar-master/dracut/31decrypt-root/decrypt-root.service

  1. During boot, systemd-cryptsetup reads this configuration line.
  2. It identifies the encrypted partition at /dev/disk/by-partlabel/ROOT.
  3. Instead of prompting for a password or using a key file, it uses the TPM2 chip to automatically unlock the partition.
  4. Once decrypted, the partition is made available at /dev/mapper/rootencrypted.

Impact

The system must have a TPM2 chip, and it must be properly configured and enabled in the BIOS/UEFI. If the TPM2 chip is missing or misconfigured, the partition will not be decrypted.

Ideal future situation

It should support manual password entry or a key from disk during boot time.

Implementation options

This needs to be modified to allow other methods to decrypt the ROOT partition =>dracut/31decrypt-root/decrypt-root.service/
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
kind/feature A feature request
Projects
Flatcar tactical, release planning, and roadmap
Status: 📝 Needs Triage
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ghanshyam-Varun