Secure Boot and using LUKS + TPM2 by default

steiner · February 23, 2022, 5:22pm

I’ve been looking into having a system with both of these for quite a while now, and after stumbling into all the info necessary for having it (made 2 PSAs about these on Reddit, one for Secure Boot + NVIDIA and one for TPM2 auto decryption of the LUKS container) I’ve been wondering, what would it take to have these by default on Fedora? I’d love to have an idea of how much work it’d take.

In the Secure Boot guide all of the steps necessary (for now it needs the COPR repos, but aparently the F36 versions of akmods and kmodtool will already have all of what’s needed, correct me if I’m wrong) will be to create and enroll the secure boot keys, move them to the necessary folders and changing their permissions. Ubuntu does pretty much all of that in their installer if it detects a system using secure boot, prompting you to choose a password for the keys if you choose to install third-party drivers during install.

They already have all of what’s needed for it working, so what would it take to bring those steps to Fedora? Would that add a lot of work for the Anaconda team?

And the other half of it comes to the TPM2 chip.

One way of doing it is automatically doing all of the steps if the user chooses to encrypt the system with LUKS on install;
The other way would be to add a second checkbox that shows up if they choose LUKS on install for them to choose if they want to automatically decrypt it with the TPM2 chip or not.

The process behind the scenes looks relatively simple to automate, using systemd-cryptenroll, editing /etc/crypttab and then adding the /etc/dracut.conf.d/tss2.conf file in order for dracut to be able to generate a compatible initramfs (I hope I’m not using the wrong terms, I am certainly not technical enough).

I see this being more work on the back of mainly the guys behind the installer, but these would definitely make Fedora on par if not even better than Ubuntu and Microsoft when it comes to using these technologies for a more secure system and help it become more accessible to those with BIOSes with locked down options for Secure Boot.

boredsquirrel · April 10, 2023, 4:16pm

I have a question. The only advantage is, that you can only decrypt your drive if its in your PC, right?

I think LUKS with a 16+ digit password is way more secure. Your PC may break, the TPM chip may fail, and in that case all you can do is format the drive, right?

steiner · April 10, 2023, 8:33pm

Nope, not at all, the only thing that would change in that scenario is that the system would ask for your LUKS password to boot

boredsquirrel · April 11, 2023, 4:29pm

This it what my system does currently? TPM ensures that the system can boot without a password or doesnt it? Only if the drive is inside my machine. If it was outside, that was not the case. I dont get how this is important, as noone would take out your drive alone.

odi-3 · May 1, 2024, 6:16pm

Any news on this?

boredsquirrel · July 2, 2024, 3:24pm

github.com

ublue-os/config/blob/main/build/ublue-os-luks/luks-enable-tpm2-autounlock

#!/bin/bash
## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
set -u

[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}

read -p "This will modify your system and enable TPM2 auto-unlock of your LUKS partition! Are you sure you've read the script and are good with this? " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
fi

## Inspect crypttab to find disk info, should look like this
#sudo cat /etc/crypttab
#luks-912462a2-39ce-abcd-1234-89c6c0304cb4 UUID=912462a2-39ce-abcd-1234-89c6c0304cb4 none discard
DISK_UUID=$(sudo awk '{ print $2 }' /etc/crypttab | cut -d= -f2)
CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"

## Backup the crypttab
if [ -f /etc/crypttab.known-good ]; then

This file has been truncated. show original

Topic		Replies	Views
Anaconda support for TPM2 auto-unlocking with LUKS? Project Discussion engineering	0	84	February 13, 2025
Return LUKS1 option in Anaconda through Fedora's Live ISO Ask Fedora encryption , luks2 , f40 , luks1	13	461	June 20, 2024
Anaconda Fedora install, use USB Dongle secure element (nitrokey) for TPM encryption? Ask Fedora installation , encryption , security , luks2 , anaconda , tpm , nitrokey , secure-element	2	128	July 2, 2024
How Can I Get Setup Fedora With Secure Boot, LUKS w TPM? Ask Fedora	4	5959	May 3, 2022
Auto mounting LUKS with TMP2 Ask Fedora pipewire , wayland , bluetooth , audio , gnome , intel , nvidia , lenovo , server , workstation	14	902	June 20, 2024

Secure Boot and using LUKS + TPM2 by default

Related topics