From: Quirin Gylstorff <quirin.gylstorff@...>

Systemd >= 251 is required for systemd-cryptenroll. This version
is part of backports.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
conf/distro/debian-bullseye-backports.list | 1 +
.../preferences.bullseye-backports.tpm.conf | 3 +++
kas/opt/tpm.yml | 20 +++++++++++++++++++
3 files changed, 24 insertions(+)
create mode 100644 conf/distro/debian-bullseye-backports.list
create mode 100644 conf/distro/preferences.bullseye-backports.tpm.conf
create mode 100644 kas/opt/tpm.yml

diff --git a/conf/distro/debian-bullseye-backports.list b/conf/distro/debian-bullseye-backports.list
new file mode 100644
index 0000000..3a55e4c
--- /dev/null
+++ b/conf/distro/debian-bullseye-backports.list
@@ -0,0 +1 @@
+deb http://ftp.us.debian.org/debian bullseye-backports main contrib non-free
diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf b/conf/distro/preferences.bullseye-backports.tpm.conf
new file mode 100644
index 0000000..0905fbf
--- /dev/null
+++ b/conf/distro/preferences.bullseye-backports.tpm.conf
@@ -0,0 +1,3 @@
+Package: *
+Pin: release n=bullseye-backports
+Pin-Priority: 801
diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml
new file mode 100644
index 0000000..0e4dc95
--- /dev/null
+++ b/kas/opt/tpm.yml
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 12
+
+local_conf_header:
+ systemd-cryptenroll: |
+ DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-bullseye-backports.list"
+ DISTRO_APT_PREFERENCES:append:bullseye = " conf/distro/preferences.bullseye-backports.tpm.conf"
+ image-option-tpm: |
+ INITRAMFS_INSTALL += " initramfs-crypt-hook"
--
2.39.1

On Fri, 2023-02-17 at 14:05 +0100, Quirin Gylstorff via lists.cip-
project.org wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

Systemd >= 251 is required for systemd-cryptenroll. This version
is part of backports.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
 conf/distro/debian-bullseye-backports.list    |  1 +
 .../preferences.bullseye-backports.tpm.conf   |  3 +++
 kas/opt/tpm.yml                               | 20
+++++++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 conf/distro/debian-bullseye-backports.list
 create mode 100644 conf/distro/preferences.bullseye-
backports.tpm.conf
 create mode 100644 kas/opt/tpm.yml

diff --git a/conf/distro/debian-bullseye-backports.list
b/conf/distro/debian-bullseye-backports.list
new file mode 100644
index 0000000..3a55e4c
--- /dev/null
+++ b/conf/distro/debian-bullseye-backports.list
@@ -0,0 +1 @@
+deb http://ftp.us.debian.org/debian bullseye-backports main contrib
non-free
diff --git a/conf/distro/preferences.bullseye-backports.tpm.conf
b/conf/distro/preferences.bullseye-backports.tpm.conf
new file mode 100644
index 0000000..0905fbf
--- /dev/null
+++ b/conf/distro/preferences.bullseye-backports.tpm.conf
@@ -0,0 +1,3 @@
+Package: *
+Pin: release n=bullseye-backports
+Pin-Priority: 801

This does not look right. By that, we take ANY available package from
bpo. For systemd backports, we usually use:

Package: libnss-myhostname libnss-mymachines libnss-resolve libnss-
systemd libpam-systemd libudev1 libsystemd0 systemd systemd-* udev

Felix

diff --git a/kas/opt/tpm.yml b/kas/opt/tpm.yml
new file mode 100644
index 0000000..0e4dc95
--- /dev/null
+++ b/kas/opt/tpm.yml
@@ -0,0 +1,20 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 12
+
+local_conf_header:
+  systemd-cryptenroll: |
+    DISTRO_APT_SOURCES:append:bullseye = " conf/distro/debian-
bullseye-backports.list"
+    DISTRO_APT_PREFERENCES:append:bullseye = "
conf/distro/preferences.bullseye-backports.tpm.conf"
+  image-option-tpm: |
+    INITRAMFS_INSTALL += " initramfs-crypt-hook"