I know you can encrypt your Fedora installation in the install setup which is what I always go with. Is there a way I can set it up similar to Microsoft’s Bitlocker? I have a laptop with a TPM chip. I’d like to have secure boot enabled with LUKS and a TPM along with an additional authentication method such as a password or PIN. Is this possible? I know that this is effective against an evil maid attack. I’ve never messed around with this stuff so I’m kinda new to all of this. Thanks!
It essentially comes down to installing and using the “clevis” package (a convenient front-end to the typical tools that are probably already installed on your machine) to set another LUKS slot that’s bound to your TPM. This set-up won’t require you to supply an additional password, but by sealing to certain PCRs, you should mitigate the evil maid scenario.
Clevis will allow you to bind against multiple sources, say, a tpm and a tang server. You can’t bind against a passphrase, but I consider it safe to allow my computer to potentially be booted by someone else, so long as I know that it couldn’t have been modified.
The relevant PCRs are 0 (presumably, UEFI and not BIOS), 1 (UEFI configuration), 4, 7, 8, 9 and 14 (check shim/README.tpm at main · rhboot/shim · GitHub for details on the others). However, you should not necessarily seal to all of these. I had trouble with 1 and 8, where the presence of a USB or charger was enough to guarantee a fail. I’m still trying to decide which I want to seal against.
If you seal against 8 and/or 9, prepare to be rebinding after each kernel update.
From what I’ve heard, BitLocker seals against PCR 7, which is the secure boot configuration (check the link above for more details with regards to Fedora).