Skip to content

Release version 21 + TPM 1.2, update 7

Latest
Latest
Compare
Choose a tag to compare
@oldium oldium released this 29 Jan 10:16
· 0 commits to master since this release
v21_tpm1u7
3f44136

Packages for Clevis v21 with TPM 1.2 implementation

New and Noteworthy:

  • Added CentOS Stream 10 package.
  • Latest clevis updates.

Debian

Debian Installation Instructions

Version pinning

Version pinning instructions

The package installation is controlled by their priority. To fix clevis packages to tpm1 version, create a file /etc/apt/preferences.d/clevis-pin with the following content:

/etc/apt/preferences.d/clevis-pin:

Package: clevis*
Pin: version *tpm1*
Pin-Priority: 1001

Debian 12 (bookworm)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("deb12|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u7+deb12_amd64.deb ./clevis-systemd_21-1+tpm1u7+deb12_amd64.deb ./clevis-tpm1_21-1+tpm1u7+deb12_amd64.deb ./clevis-luks_21-1+tpm1u7+deb12_amd64.deb ./clevis_21-1+tpm1u7+deb12_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u7+deb12_amd64.deb ./clevis-systemd_21-1+tpm1u7+deb12_amd64.deb ./clevis-tpm1_21-1+tpm1u7+deb12_amd64.deb ./clevis-luks_21-1+tpm1u7+deb12_amd64.deb ./clevis_21-1+tpm1u7+deb12_amd64.deb

Debian 11 (bullseye)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("deb11|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u7+deb11_amd64.deb ./clevis-systemd_21-1+tpm1u7+deb11_amd64.deb ./clevis-tpm1_21-1+tpm1u7+deb11_amd64.deb ./clevis-luks_21-1+tpm1u7+deb11_amd64.deb ./clevis_21-1+tpm1u7+deb11_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u7+deb11_amd64.deb ./clevis-systemd_21-1+tpm1u7+deb11_amd64.deb ./clevis-tpm1_21-1+tpm1u7+deb11_amd64.deb ./clevis-luks_21-1+tpm1u7+deb11_amd64.deb ./clevis_21-1+tpm1u7+deb11_amd64.deb

Ubuntu

Ubuntu Installation Instructions

Version pinning

Version pinning instructions

The package installation is controlled by their priority. To fix clevis packages to tpm1 version, create a file /etc/apt/preferences.d/clevis-pin with the following content:

/etc/apt/preferences.d/clevis-pin:

Package: clevis*
Pin: version *tpm1*
Pin-Priority: 1001

Ubuntu 24.10 (Oracular Oriole)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("ubuntu24.10|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis-systemd_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis-tpm1_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis-luks_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis_21-1+tpm1u7+ubuntu24.10_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis-systemd_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis-tpm1_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis-luks_21-1+tpm1u7+ubuntu24.10_amd64.deb ./clevis_21-1+tpm1u7+ubuntu24.10_amd64.deb

Ubuntu 24.04 (Noble Numbat)

Download all DEBs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("ubuntu24.04|orig"))' | wget -ci-

Installation of the typical Dracut version with:

sudo apt install ./clevis-dracut_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis-systemd_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis-tpm1_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis-luks_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis_21-1+tpm1u7+ubuntu24.04_amd64.deb

Installation of the typical initramfs-tools version:

sudo apt install ./clevis-initramfs_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis-systemd_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis-tpm1_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis-luks_21-1+tpm1u7+ubuntu24.04_amd64.deb ./clevis_21-1+tpm1u7+ubuntu24.04_amd64.deb

Fedora

Fedora Installation Instructions

Version lock for DNF4

Version lock for DNF4 instructions

The versionlock plugin is used to prevent upgrades to normal clevis version.

sudo dnf install 'dnf-command(versionlock)'
sudo dnf versionlock add --raw "clevis-*.tpm1*"
sudo dnf versionlock add --raw "clevis-pin-tpm2"

Sticky vendors for DNF5

Sticky vendors for DNF5 instructions

The versionlock plugin is built-in in DNF5, but configuration does not allow the same flexibility as in DNF4 case. The RPM contains a unique Vendor (oldium), so the sticky-vendor feature can be used to prevent unwanted Clevis updates. The following change to the /etc/dnf/dnf.conf file is necessary:

/etc/dnf/dnf.conf:

[main]
allow_vendor_change = no

Fedora 42 (Rawhide)

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("fc42"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u7.fc42.x86_64.rpm ./clevis-dracut-21-1.tpm1u7.fc42.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u7.fc42.x86_64.rpm ./clevis-luks-21-1.tpm1u7.fc42.x86_64.rpm ./clevis-systemd-21-1.tpm1u7.fc42.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Fedora 41

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("fc41"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u7.fc41.x86_64.rpm ./clevis-dracut-21-1.tpm1u7.fc41.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u7.fc41.x86_64.rpm ./clevis-luks-21-1.tpm1u7.fc41.x86_64.rpm ./clevis-systemd-21-1.tpm1u7.fc41.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Fedora 40

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("fc40"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u7.fc40.x86_64.rpm ./clevis-dracut-21-1.tpm1u7.fc40.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u7.fc40.x86_64.rpm ./clevis-luks-21-1.tpm1u7.fc40.x86_64.rpm ./clevis-systemd-21-1.tpm1u7.fc40.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Fedora 39

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("fc39"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u7.fc39.x86_64.rpm ./clevis-dracut-21-1.tpm1u7.fc39.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u7.fc39.x86_64.rpm ./clevis-luks-21-1.tpm1u7.fc39.x86_64.rpm ./clevis-systemd-21-1.tpm1u7.fc39.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

CentOS Stream

CentOS Stream Installation Instructions

📝 Note: Installation of Trousers and tpm-tools requires EPEL repository.

Version lock for DNF4

Version lock for DNF4 instructions

The versionlock plugin is used to prevent upgrades to normal clevis version.

sudo dnf install 'dnf-command(versionlock)'
sudo dnf versionlock add --raw "clevis-*.tpm1*"
sudo dnf versionlock add --raw "clevis-pin-tpm2"

Sticky vendors for DNF5

Sticky vendors for DNF5 instructions

The versionlock plugin is built-in in DNF5, but configuration does not allow the same flexibility as in DNF4 case. The RPM contains a unique Vendor (oldium), so the sticky-vendor feature can be used to prevent unwanted Clevis updates. The following change to the /etc/dnf/dnf.conf file is necessary:

/etc/dnf/dnf.conf:

[main]
allow_vendor_change = no

CentOS Stream 10

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("el10"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u7.el10.x86_64.rpm ./clevis-dracut-21-1.tpm1u7.el10.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u7.el10.x86_64.rpm ./clevis-luks-21-1.tpm1u7.el10.x86_64.rpm ./clevis-systemd-21-1.tpm1u7.el10.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

CentOS Stream 9

Download all RPMs to current folder:

wget -qO- https://api.github.com/repos/oldium/clevis/releases/tags/v21_tpm1u7 | jq -r '.assets[].browser_download_url | select(test("el9"))' | wget -ci-

Typical installation:

sudo dnf install clevis-pin-tpm2 ./clevis-21-1.tpm1u7.el9.x86_64.rpm ./clevis-dracut-21-1.tpm1u7.el9.x86_64.rpm ./clevis-pin-tpm1-21-1.tpm1u7.el9.x86_64.rpm ./clevis-luks-21-1.tpm1u7.el9.x86_64.rpm ./clevis-systemd-21-1.tpm1u7.el9.x86_64.rpm

For upgrades you can omit clevis-pin-tpm2 as it is already installed.

Full Changelog: v21...v21_tpm1u7

Assets 127
Loading