System information
- Void Linux
- Kernel: 7.0.2_1
- Architecture: x86_64
- Package: clevis: 22_tpm1u1
- Initramfs generator: dracut
On this system /bin/sh is dash.
Summary
There appear to be two separate problems when using clevis with dracut in this environment:
- clevis dracut hooks contain bash‑specific syntax but are sourced by dracut under
/bin/sh
- when forcing bash in initramfs, the LUKS unlock succeeds but dracut later crashes due to
_gfound not being defined
Expected behavior
A TPM2‑bound LUKS2 device should unlock automatically during the dracut initramfs stage and the system should continue booting normally.
Actual behavior
Two different failure modes occur depending on the shell used in the initramfs.
Case 1: /bin/sh -> dash
dracut sources module scripts rather than executing them directly.
Because of this, the shebang (#!/bin/bash) in clevis scripts is ignored and the code is interpreted by /bin/sh.
On systems where /bin/sh is dash, several clevis scripts contain bash‑specific constructs (e.g. [[ ... ]], here-strings, etc.).
This causes syntax errors and prevents clevis from running during the initramfs stage.
Case 2: forcing bash in initramfs
If the initramfs is modified so that /bin/sh points to bash, the behavior changes:
- clevis successfully unlocks the LUKS2 device using TPM2
- the system proceeds past the clevis stage
- later in the boot process dracut aborts with an error related to
_gfound
The failure appears to come from dracut libraries (e.g. dracut-lib.sh).
Because dracut runs with set -u, referencing an undefined variable/function causes an immediate abort which results in a kernel panic.
This suggests that after the clevis unlock stage the shell context or sourced libraries are not preserved and _gfound is no longer defined.
Reproduction
- Bind a LUKS2 device to TPM2:
sudo clevis luks bind -d /dev/nvme0n1p2 tpm2 '{}'
- Regenerate initramfs:
- Reboot.
Observed results
- With
/bin/sh = dash => syntax errors in clevis hooks
- With
/bin/sh = bash => unlock succeeds but boot aborts due to _gfound failure
Notes
The fact that the unlock works correctly under bash suggests that the TPM2 and clevis logic itself is functioning, but the interaction between clevis dracut hooks and the shell environment used by dracut may be inconsistent.
Clarification would be helpful on whether:
- clevis dracut hooks are expected to be POSIX
/bin/sh compatible, or
- bash is assumed to be available and used within the initramfs.
System information
On this system
/bin/shisdash.Summary
There appear to be two separate problems when using clevis with dracut in this environment:
/bin/sh_gfoundnot being definedExpected behavior
A TPM2‑bound LUKS2 device should unlock automatically during the dracut initramfs stage and the system should continue booting normally.
Actual behavior
Two different failure modes occur depending on the shell used in the initramfs.
Case 1:
/bin/sh-> dashdracut sources module scripts rather than executing them directly.
Because of this, the shebang (
#!/bin/bash) in clevis scripts is ignored and the code is interpreted by/bin/sh.On systems where
/bin/shisdash, several clevis scripts contain bash‑specific constructs (e.g.[[ ... ]], here-strings, etc.).This causes syntax errors and prevents clevis from running during the initramfs stage.
Case 2: forcing bash in initramfs
If the initramfs is modified so that
/bin/shpoints tobash, the behavior changes:_gfoundThe failure appears to come from dracut libraries (e.g.
dracut-lib.sh).Because dracut runs with
set -u, referencing an undefined variable/function causes an immediate abort which results in a kernel panic.This suggests that after the clevis unlock stage the shell context or sourced libraries are not preserved and
_gfoundis no longer defined.Reproduction
Observed results
/bin/sh= dash => syntax errors in clevis hooks/bin/sh= bash => unlock succeeds but boot aborts due to_gfoundfailureNotes
The fact that the unlock works correctly under bash suggests that the TPM2 and clevis logic itself is functioning, but the interaction between clevis dracut hooks and the shell environment used by dracut may be inconsistent.
Clarification would be helpful on whether:
/bin/shcompatible, or