Can't enable LUKS Full disk encryption with uCore

Hi,

I’m new to uCore and FCOS. uCore looks like the perfect solution for my home server as it includes mergerfs and SnapRAID, and I look forward configuring everything through Butane/Ignition file.

I first tried the base uCore example:

variant: fcos
version: 1.4.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - XXX
      password_hash: XXX
storage:
  directories:
    - path: /etc/ucore-autorebase
      mode: 0754
systemd:
  units:
    - name: ucore-unsigned-autorebase.service
      enabled: true
      contents: |
        [Unit]
        Description=uCore autorebase to unsigned OCI and reboot
        ConditionPathExists=!/etc/ucore-autorebase/unverified
        ConditionPathExists=!/etc/ucore-autorebase/signed
        After=network-online.target
        Wants=network-online.target
        [Service]
        Type=oneshot
        StandardOutput=journal+console
        ExecStart=/usr/bin/rpm-ostree rebase --bypass-driver ostree-unverified-registry:ghcr.io/ublue-os/ucore:stable
        ExecStart=/usr/bin/touch /etc/ucore-autorebase/unverified
        ExecStart=/usr/bin/systemctl disable ucore-unsigned-autorebase.service
        ExecStart=/usr/bin/systemctl reboot
        [Install]
        WantedBy=multi-user.target
    - name: ucore-signed-autorebase.service
      enabled: true
      contents: |
        [Unit]
        Description=uCore autorebase to signed OCI and reboot
        ConditionPathExists=/etc/ucore-autorebase/unverified
        ConditionPathExists=!/etc/ucore-autorebase/signed
        After=network-online.target
        Wants=network-online.target
        [Service]
        Type=oneshot
        StandardOutput=journal+console
        ExecStart=/usr/bin/rpm-ostree rebase --bypass-driver ostree-image-signed:docker://ghcr.io/ublue-os/ucore:stable
        ExecStart=/usr/bin/touch /etc/ucore-autorebase/signed
        ExecStart=/usr/bin/systemctl disable ucore-signed-autorebase.service
        ExecStart=/usr/bin/systemctl reboot
        [Install]
        WantedBy=multi-user.target

Installation went perfectly and I could enable secure boot with the command from the readme.

Now, I would like to add full disk encryption with TPM2. https://docs.fedoraproject.org/en-US/fedora-coreos/storage/#_encrypted_storage_luks

variant: fcos
version: 1.4.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - XXX
      password_hash: XXX
storage:
  directories:
    - path: /etc/ucore-autorebase
      mode: 0754
  luks:
    - name: root
      label: luks-root
      device: /dev/disk/by-partlabel/root
      clevis:
        custom:
          needs_network: false
          pin: tpm2
          config: '{"pcr_bank":"sha1","pcr_ids":"7"}'
      wipe_volume: true
  filesystems:
    - device: /dev/mapper/root
      format: xfs
      wipe_filesystem: true
      label: root
systemd:
  units:
    - name: ucore-unsigned-autorebase.service
      enabled: true
      contents: |
        [Unit]
        Description=uCore autorebase to unsigned OCI and reboot
        ConditionPathExists=!/etc/ucore-autorebase/unverified
        ConditionPathExists=!/etc/ucore-autorebase/signed
        After=network-online.target
        Wants=network-online.target
        [Service]
        Type=oneshot
        StandardOutput=journal+console
        ExecStart=/usr/bin/rpm-ostree rebase --bypass-driver ostree-unverified-registry:ghcr.io/ublue-os/ucore:stable
        ExecStart=/usr/bin/touch /etc/ucore-autorebase/unverified
        ExecStart=/usr/bin/systemctl disable ucore-unsigned-autorebase.service
        ExecStart=/usr/bin/systemctl reboot
        [Install]
        WantedBy=multi-user.target
    - name: ucore-signed-autorebase.service
      enabled: true
      contents: |
        [Unit]
        Description=uCore autorebase to signed OCI and reboot
        ConditionPathExists=/etc/ucore-autorebase/unverified
        ConditionPathExists=!/etc/ucore-autorebase/signed
        After=network-online.target
        Wants=network-online.target
        [Service]
        Type=oneshot
        StandardOutput=journal+console
        ExecStart=/usr/bin/rpm-ostree rebase --bypass-driver ostree-image-signed:docker://ghcr.io/ublue-os/ucore:stable
        ExecStart=/usr/bin/touch /etc/ucore-autorebase/signed
        ExecStart=/usr/bin/systemctl disable ucore-signed-autorebase.service
        ExecStart=/usr/bin/systemctl reboot
        [Install]
        WantedBy=multi-user.target

But this does not work. When the system is installing, I get the following error:

A CLI validation tool to check this called ignition-validate can be downloaded from GitHub: https://github.com/coreos/ignition/releases
-----

Displaying logs from failed units: sysroot.mount ignition-disks.service
Dec 29 21:32:05 systemd[1]: sysroot.mount: Failed to load environment files: No such file or directory
Dec 29 21:32:05 systemd[1]: sysroot.mount: Failed to spawn 'mount' task: No such file or directory
Dec 29 21:32:05 systemd[1]: sysroot.mount: Failed with result 'resources'.
Dec 29 21:32:05 systemd[1]: Failed to mount sysroot.mount - /sysroot.
Dec 29 21:32:04 ignition[905]: "contents": ["[Unit]
Description=uCore autorebase to signed OCI and reboot
ConditionPathExists=/etc/ucore-autorebase/unverified
ConditionPathExists=!/etc/ucore-autorebase/signed
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
StandardOutput=journal+console
ExecStart=/usr/bin/rpm-ostree rebase --bypass-driver ostree-image-signed:docker://ghcr.io/ublue-os/ucore:stable
ExecStart=/usr/bin/systemctl disable ucore-signed-autorebase.service
ExecStart=/usr/bin/systemctl reboot
[Install]
WantedBy=multi-user.target"
Dec 29 21:32:04 ignition[905]: {
  "enabled": true,
  "name": "ucore-signed-autorebase.service"
}
Dec 29 21:32:04 ignition[905]: }
Dec 29 21:32:04 systemd[1]: Failed to start ignition-disks.service - Ignition (disks).
Dec 29 21:32:04 systemd[1]: ignition-disks.service: Consumed 33.869s CPU time, 16 memory peak.
Dec 29 21:32:04 systemd[1]: ignition-disks.service: Triggering OnFailure= dependencies.

Generating "/run/initramfs/rdsosreport.txt"

Entering emergency mode. Exit the shell to continue.
Type "journalctl" to view system logs.
You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot after mounting them and attach it to a bug report.

Press Enter for system maintenance
(or press Control-D to continue)

My rdsosreport.txt is the following:

https://paste.hostux.net/?f5107bfadff95648#BYpCMAHxVfBYtoC8ui7DNopjiEesC5Wh6RkpZP2rsndF

What could be the problem? How to set up uCore with LUKS Full disk encryption ?

Thanks in advance for your help, have a nice day

Without offering you a direct solution, though I am interested….. I would first experiment with getting LUKS encryption working on straight Fedora core before proceeding to uCore.

Then I would probably proceed with any questions on the Fedora Core forums as you’re probably likely to get more expert advice there as there are more Users. This question seems like it’s more of a base question regarding how to implement this on Fedora core then on specifically uCore.

I wonder if their docs are right. I can’t imagine sha1 is right. I don’t know if any of my test equipment has TPM2 chip on it, but I’ll be happy to give it a go when I have some time and see if I get the same issues.

Thanks for your answer.

You are right. I have a Ryzen 3200G with a fTPM, that does not support sha1. Switching to sha256 did the trick.

I made a post about it on FCOS because, you are also right, my problems are more related to FCOS than to uCore : Can't enable full disk encryption - #3 by saladcesar - Fedora Discussion

By the way, if you have an idea, I would be interested about your opinion on this problem I am having now: Can't combine manual partitioning + LUKS - Fedora Discussion . Basically, I succeeded to get LUKS working, I succeeded to get manual partitionning (adding /var on a new btrfs partition), but I can’t get both working at the same time. I can’t find example doing both at the same time, and I’m trying to find if storage.luks is compatible with storage.disks.