Open uhthomas opened 11 months ago
Good feedback and it's something I've been meaning to fix for a long time
Thanks @Torxed, I'm looking forward to this feature. Let me know what I can do to help.
It may also be useful to have an initial implementation which always uses --tpm2-device=auto
, guarded by a check for a TPM2 module (I think checking for /dev/tpm0
would also be sufficient). This should cover the majority of use cases, as it should be rare for more than 1 TPM device to be present, or for users to really care. In future, I guess systemd-cryptenroll --tpm2-device=list
can be used to get a comprehensive list of TPM devices.
❯ systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crb
https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Simple_encrypted_root_with_TPM2_and_Secure_Boot Is probably the most comprehensive guide.
I found https://github.com/archlinux/archinstall/issues/861, but believe the HSM support does not provide adequate TPM support.
For example; only my YubiKey is listed, despite the presence of a TPM.
I have used systemd-cryptenroll for a few machines and have found it to work quite well.
cryptsetup benchmark may also be helpful.
I believe secure boot is required for a TPM to work - so this may also be helpful too?
I think in addition to
systemd-cryptenroll
, the kernel configuration options need to be updated.note
rd.luks.name=a661b1ce-26f7-460d-a8fa-1a57f2f6ceff=luksdev rd.luks.options=discard,tpm2-device=auto
where the UUID is the volume UUID fromsudo blkid
:https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll