tpm2_unseal freeze at boot
The advantage of Arch Linux is that you’re always using the latest and greatest released software. However, that is also a disadvantage in itself. I’ve recently upgraded my Arch Linux system which gives me Linux Kernel 5.3 and tpm2-tools 4.0.
Command Line Change
The first problem I’ve met is that the command line parameter for tpm2_unseal changed yet again. I have no idea why they like to change the parameters.
Previously, the command is as follows:
tpm2_unseal -H 0x81000000 -L sha1:0,7 -o /crypto_keyfile.binNow, it is as follows:
tpm2_unseal -c 0x81000000 -p pcr:sha1:0,7 -o /crypto_keyfile.binFreeze at boot time
Fixing the parameter didn’t make it fully work, unfortunately. Now, the command freeze at boot time for reason unknown, despite it working when the computer fully booted. More interestingly, if I start mashing keyboard buttons, then the process stops freezing.
To debug, I put strace into the initramfs and ran it on tpm2_unseal. I’ve found out that it was freezing on the getrandom system call. It turns out I’m facing boot time entropy starvation. I’m not sure if this is due to the new tpm2-tools or the kernel upgrade.
The solution presented on Debian’s wiki is to add entropy from TPM into Linux’s random pool by using the following kernel command line:
rng_core.default_quality=1000Conclusion
After changing the kernel parameter, now everything works perfectly. I hope you’ve found this post useful if you’re facing the same issue!
