Goal

• One of our customer, want the clevis and clevis-pin-tpm2 dracut modules to be included in the base bootc initramfs images, so that users can leverage TPM2 auto-unlocking functionality without manual workarounds in their Containerfile.
  • Context: A customer has identified a discrepancy where RHEL 9.7 edge-commit (ostree) builds correctly include the Clevis stack, but the bootc images do not. Currently, they must manually add it to their Containerfile using steps in doc - 11.2. Adding or changing content in the bootc image initramfs . Customer says that With traditional RHEL and OSTree-based RHEL, they never had to add these modules manually. Automatic LUKS unlock using TPM worked out of the box.
    Since TPM-based automatic LUKS unlock is a common customer use case, they expect the required clevis TPM2 components to be included in the initramfs by default, without requiring a manual build step
  • Currently we need to use the following configuration in kickstart to include these.

     # cat config/system/usr/lib/dracut/dracut.conf.d/90-clevis.conf 
    add_dracutmodules+=" clevis clevis-pin-tpm2 "
    
     # cat Containerfile 
    FROM registry.redhat.io/rhel10/rhel-bootc:latest
    
    RUN dnf install clevis-dracut -y
    
    # Copy OS-level configuration
    COPY config/system/ /
    
    # Rebuild initramfs to include the required Clevis and TPM2 modules
    RUN set -x; \
        kver=$(rpm -qa kernel-modules | sed 's/kernel-modules-//' | sort -V | tail -n 1); \
        dracut -vf /usr/lib/modules/$kver/initramfs.img "$kver"
    

  • In RHEL 9.7 edge-commit, its present as seen below.

    # cat /var/lib/osbuild-composer/jobs/b71fcc5c-680d-4945-9113-fa0692d21f4f.json  | json_reformat  | grep clevis
                                 "url": "https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/c/clevis-luks-21-208.el9.x86_64.rpm",
                                "url": "https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/c/clevis-systemd-21-208.el9.x86_64.rpm",
                                "url": "https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/c/clevis-dracut-21-208.el9.x86_64.rpm",
                                "url": "https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/c/clevis-21-208.el9.x86_64.rpm",
                                "url": "https://cdn.redhat.com/content/dist/rhel9/9.7/x86_64/appstream/os/Packages/c/clevis-pin-tpm2-0.5.1-2.el9.x86_64.rpm",
    [....]
    

  • I used the following kickstart to test auto unlocking which i see works withe the above provided container file.

    # cat config.toml 
    [customizations.installer.modules]
    enable = [
      "org.fedoraproject.Anaconda.Modules.Localization"
    ]
    
    [customizations.installer.kickstart]
    contents = """
    user --name ameya --password 123 --plaintext --groups wheel
    rootpw --lock
    text
    
    bootloader --append="console=tty0 console=ttyS0,115200n8"
    lang en_US
    timezone America/New_York
    #keyboard --xlayouts=en --vckeymap=en
    
    zerombr
    clearpart --all --initlabel
    autopart --type=lvm --encrypted --luks-version=luks2 --passphrase test
    #reboot --eject
    network --bootproto=dhcp --device=link --activate --onboot=on
    
    
    %post --log=/root/ks-post.log
    set -x
    enc_device="/dev/$(lsblk --filter 'FSTYPE == "crypto_LUKS"' -o NAME --noheading| head -n 1)"
    clevis luks bind -y -k - -d ${enc_device} tpm2 '{"pcr_bank":"sha256", "pcr_ids":"15"}' <<< "test"
    %end
    
    """
    

Acceptance criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

• Verify that `clevis-dracut` and `clevis-pin-tpm2` are included in the default package set for bootc image builds.
• Verify that the resulting initramfs contains the necessary Clevis binaries and dracut modules to support TPM2 binding.
• Verify successful auto-unlock boot flow on a TPM2-enabled target using a standard bootc image.