4 Oct 2024 |
mjm | yeah so did i | 02:48:31 |
mjm | it works! | 02:53:50 |
mjm | automatic unlock, no clevis | 02:53:56 |
ElvishJerricco | fantastic! | 02:54:49 |
ElvishJerricco | Did it need the after = ["tpm2.target"]; thing? | 02:55:01 |
mjm | i'll need to test without it | 02:55:22 |
mjm | which i'll do shortly | 02:55:36 |
ElvishJerricco | cool, thanks for test :) | 02:55:49 |
ElvishJerricco | * cool, thanks for testing :) | 02:56:24 |
mjm | yeah np | 02:56:51 |
mjm | i think there may be something else weird here with impermanence, it makes this create-needed-for-boot-dirs service in initrd that is failing, not sure why yet. it's possible it was failing before though, since it doesn't seem to be blocking boot | 02:58:09 |
ElvishJerricco | hm, yea I can't imagine why this would have any effect on that | 02:59:10 |
ElvishJerricco | if clevis didn't | 02:59:14 |
mjm | true | 03:00:13 |
mjm | okay after = ["tpm2.target"] does not appear to be necessary | 03:03:00 |
mjm | works fine without it | 03:03:05 |
ElvishJerricco | interesting | 03:03:06 |
ElvishJerricco | I wonder if systemd is actually making sure to wait for the TPM or if you're just winning the race | 03:03:21 |
mjm | it's hard to say, the unlock service seems to start just before the target gets reached, and ends some time after | 03:04:47 |
mjm | but also like...maybe systemd is smart enough to do the right thing with the TPM for those credentials? idk | 03:05:35 |
ElvishJerricco | maybe systemd blocks until a TPM shows up? | 03:05:46 |
ElvishJerricco | I'll test some stuff out | 03:06:07 |
mjm | it might | 03:06:12 |
mjm | In reply to @mjm:midna.dev i think there may be something else weird here with impermanence, it makes this create-needed-for-boot-dirs service in initrd that is failing, not sure why yet. it's possible it was failing before though, since it doesn't seem to be blocking boot confirmed this is not an issue specifically with the new generator. this service is new in impermanence as of like a week ago, and it seems like it's not properly accounting for encrypted filesystems that need to be unlocked | 03:15:41 |
mjm | so i guess i'll file an issue about that | 03:16:07 |
ElvishJerricco | mjm: I'm trying to figure out what this service is even doing and I don't think it makes any sense? | 03:18:06 |
ElvishJerricco | systemd already creates the mount points before starting mount units | 03:18:14 |
mjm | hmm | 03:18:35 |
mjm | well, it's not creating the mount points | 03:18:57 |
mjm | it's creating the source of the bind mount, not the target | 03:19:07 |