This PR adds the feature flag tpm2, which can be used in combination with systemd-repart to create and mount encrypted writable persistent partitions.
On first boot, systemd-repart automatically creates a new partition with the options specified in the respective fstab.mod file. Afterwards, the created volume is automatically mounted to the correct path. On second start, systemd-repart recognizes the existing volume and skips the creation of a new one, thus retaining the already written data.
TODO:
The feature is currently binding its encryption to the pcr values 7 and 11 (secure-boot-policy, kernel-boot) of the TPM chip. This can lead to problems when upgrading the kernel to a new version (e.g. with fwupd), which overrides existing pcr hashes and thus makes the decryption of a volume created before the upgrade impossible. This behaviour will probably soon change in the future in favor of binding to signatures of pcr values with either pcrlock or signed public key based policies.
This PR adds the feature flag
tpm2, which can be used in combination withsystemd-repartto create and mount encrypted writable persistent partitions.On first boot,
systemd-repartautomatically creates a new partition with the options specified in the respectivefstab.modfile. Afterwards, the created volume is automatically mounted to the correct path. On second start,systemd-repartrecognizes the existing volume and skips the creation of a new one, thus retaining the already written data.TODO: The feature is currently binding its encryption to the pcr values 7 and 11 (secure-boot-policy, kernel-boot) of the TPM chip. This can lead to problems when upgrading the kernel to a new version (e.g. with
fwupd), which overrides existing pcr hashes and thus makes the decryption of a volume created before the upgrade impossible. This behaviour will probably soon change in the future in favor of binding to signatures of pcr values with either pcrlock or signed public key based policies.Example: