search

archlinux / archinstall

Arch Linux installer - guided, templates etc.
GNU General Public License v3.0
6.04k stars 522 forks source link

TPM support #2141

Open uhthomas opened 11 months ago

uhthomas commented 11 months ago

I found https://github.com/archlinux/archinstall/issues/861, but believe the HSM support does not provide adequate TPM support.

For example; only my YubiKey is listed, despite the presence of a TPM.

image

I have used systemd-cryptenroll for a few machines and have found it to work quite well.

❯ sudo systemd-cryptenroll /dev/nvme0n1p2 --tpm2-device=auto

cryptsetup benchmark may also be helpful.

I believe secure boot is required for a TPM to work - so this may also be helpful too?

❯ sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     a67af038-da8d-4637-a752-7d3e71a9f57e
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    microsoft

I think in addition to systemd-cryptenroll, the kernel configuration options need to be updated.

❯ cat /boot/loader/entries/linux.conf
title Arch Linux (linux)
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options root=/dev/mapper/luksdev zswap.enabled=0 rootflags=subvol=@ rw intel_pstate=no_hwp rootfstype=btrfs rd.luks.name=a661b1ce-26f7-460d-a8fa-1a57f2f6ceff=luksdev rd.luks.options=discard,tpm2-device=auto nvidia_drm.modeset=1

note rd.luks.name=a661b1ce-26f7-460d-a8fa-1a57f2f6ceff=luksdev rd.luks.options=discard,tpm2-device=auto where the UUID is the volume UUID from sudo blkid:

/dev/nvme0n1p2: UUID="a661b1ce-26f7-460d-a8fa-1a57f2f6ceff" TYPE="crypto_LUKS" PARTLABEL="primary" PARTUUID="3f92cbb9-c6ce-4a70-bc9f-4b7ce4cdbe54"

https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll

Torxed commented 11 months ago

Good feedback and it's something I've been meaning to fix for a long time

uhthomas commented 11 months ago

Thanks @Torxed, I'm looking forward to this feature. Let me know what I can do to help.

It may also be useful to have an initial implementation which always uses --tpm2-device=auto, guarded by a check for a TPM2 module (I think checking for /dev/tpm0 would also be sufficient). This should cover the majority of use cases, as it should be rare for more than 1 TPM device to be present, or for users to really care. In future, I guess systemd-cryptenroll --tpm2-device=list can be used to get a comprehensive list of TPM devices.

❯ systemd-cryptenroll --tpm2-device=list
PATH        DEVICE      DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crb
uhthomas commented 11 months ago

https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Simple_encrypted_root_with_TPM2_and_Secure_Boot Is probably the most comprehensive guide.