Luks Unlock With Tpm
Running cryptenroll
-
Check for a TPM
Terminal window ls /dev/tpm* 2>/dev/null && echo "TPM device found" || echo "No TPM device found" -
Install necessary packages to allow cryptenroll to auto-unlock
Terminal window dnf install -y tpm2-tools -
Add authentication token for LUKS-encrypted drive
Terminal window systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true --tpm2-pcrs=0,5,7 /dev/sdc4
systemd-cryptenrollwas introduced in systemd 248
-
Add the following to the end of target device in /etc/crypttab
none luks,discard,tpm2-device=auto -
TPM2 libraries required to be present in initramfs
Terminal window dracut --force --regenerate-all
PCRs
Refer to the below table to understand how the PCRs work, you can add additional like 0,5,7
┌────┬─────────────────────┬────────────────────────────────────────┐│PCR │ name │ Explanation │├────┼─────────────────────┼────────────────────────────────────────┤│0 │ platform-code │ Core system firmware executable code; ││ │ │ changes on firmware updates │├────┼─────────────────────┼────────────────────────────────────────┤│1 │ platform-config │ Core system firmware data/host ││ │ │ platform configuration; typically ││ │ │ contains serial and model numbers, ││ │ │ changes on basic hardware/CPU/RAM ││ │ │ replacements │├────┼─────────────────────┼────────────────────────────────────────┤│2 │ external-code │ Extended or pluggable executable code; ││ │ │ includes option ROMs on pluggable ││ │ │ hardware │├────┼─────────────────────┼────────────────────────────────────────┤│3 │ external-config │ Extended or pluggable firmware data; ││ │ │ includes information about pluggable ││ │ │ hardware │├────┼─────────────────────┼────────────────────────────────────────┤│4 │ boot-loader-code │ Boot loader and additional drivers, PE ││ │ │ binaries invoked by the boot loader; ││ │ │ changes on boot loader updates. sd- ││ │ │ stub(7) measures system extension ││ │ │ images read from the ESP here too (see ││ │ │ systemd-sysext(8)). │├────┼─────────────────────┼────────────────────────────────────────┤│5 │ boot-loader-config │ GPT/Partition table; changes when the ││ │ │ partitions are added, modified, or ││ │ │ removed │├────┼─────────────────────┼────────────────────────────────────────┤│7 │ secure-boot-policy │ Secure Boot state; changes when UEFI ││ │ │ SecureBoot mode is enabled/disabled, ││ │ │ or firmware certificates (PK, KEK, db, ││ │ │ dbx, ...) changes. │├────┼─────────────────────┼────────────────────────────────────────┤│9 │ kernel-initrd │ The Linux kernel measures all initrds ││ │ │ it receives into this PCR. │├────┼─────────────────────┼────────────────────────────────────────┤│10 │ ima │ The IMA project measures its runtime ││ │ │ state into this PCR. │├────┼─────────────────────┼────────────────────────────────────────┤│11 │ kernel-boot │ systemd-stub(7) measures the ELF ││ │ │ kernel image, embedded initrd and ││ │ │ other payload of the PE image it is ││ │ │ placed in into this PCR. systemd- ││ │ │ pcrphase.service(8) measures boot ││ │ │ phase strings into this PCR at various ││ │ │ milestones of the boot process. │├────┼─────────────────────┼────────────────────────────────────────┤│12 │ kernel-config │ systemd-boot(7) measures the kernel ││ │ │ command line into this PCR. systemd- ││ │ │ stub(7) measures any manually ││ │ │ specified kernel command line (i.e. a ││ │ │ kernel command line that overrides the ││ │ │ one embedded in the unified PE image) ││ │ │ and loaded credentials into this PCR. │├────┼─────────────────────┼────────────────────────────────────────┤│13 │ sysexts │ systemd-stub(7) measures any systemd- ││ │ │ sysext(8) images it passes to the ││ │ │ booted kernel into this PCR. │├────┼─────────────────────┼────────────────────────────────────────┤│14 │ shim-policy │ The shim project measures its "MOK" ││ │ │ certificates and hashes into this PCR. │├────┼─────────────────────┼────────────────────────────────────────┤│15 │ system-identity │ systemd-cryptsetup(8) optionally ││ │ │ measures the volume key of activated ││ │ │ LUKS volumes into this PCR. systemd- ││ │ │ pcrmachine.service(8) measures the ││ │ │ machine-id(5) into this PCR. systemd- ││ │ │ pcrfs@.service(8) measures mount ││ │ │ points, file system UUIDs, labels, ││ │ │ partion UUIDs of the root and /var/ ││ │ │ filesystems into this PCR. │├────┼─────────────────────┼────────────────────────────────────────┤│16 │ debug │ Debug │├────┼─────────────────────┼────────────────────────────────────────┤│23 │ application-support │ Application Support │└────┴─────────────────────┴────────────────────────────────────────┘ Sources:
- https://www.reddit.com/r/archlinux/comments/1ajjy4r/which_pcr_registers_do_you_use_for_tpm_to/
- http://servicedesk/WorkOrder.do?woMode=viewWO&woID=67452