Configure LUKS+TPM2 on Kinoite

Ask Fedora
, ,
1

I am trying to install Kinoite using encryption on a laptop. This part works flawless.

I tried following Use systemd-cryptenroll with FIDO U2F or TPM2 to decrypt your disk - Fedora Magazine and I understand it is the new “way” of it (old one Automatically decrypt your disk using TPM2 - Fedora Magazine); but it fails on sudo dracut -f.

The lapot is for a user, so having:

  • bios password protected
  • boot menu blocked
  • hard disk encrypted

Should be enough in my case. Any idea of what am I doing wrong?

And any advice on PCR options for my use-case is wellcome.

2

Regenerating initramfs on atomic desktops doesn’t work with the dracut command AFAIK. Instead rpm-ostree initramfs with specific arguments should be used, but you can try with the ligher rpm-ostree initramfs-etc --track <path-to-file> first, it might be enough. See the man page of rpm-ostree for details.

2 Likes
3

See Document fido2 setup for root disk · Issue #546 · fedora-silverblue/issue-tracker · GitHub for FIDO setup instructions.

1 Like
4

Thanks, I look at it

5

Is there a step-by-step guide how to do TPM (not Fido) unlock on Kinoite 43 anywhere?

6

There are some hints in Add TPM2 systemd-cryptenroll to Tips and Tricks by stenwt · Pull Request #176 · fedora-silverblue/silverblue-docs · GitHub