Secure Boot and using LUKS + TPM2 by default

I’ve been looking into having a system with both of these for quite a while now, and after stumbling into all the info necessary for having it (made 2 PSAs about these on Reddit, one for Secure Boot + NVIDIA and one for TPM2 auto decryption of the LUKS container) I’ve been wondering, what would it take to have these by default on Fedora? I’d love to have an idea of how much work it’d take.

In the Secure Boot guide all of the steps necessary (for now it needs the COPR repos, but aparently the F36 versions of akmods and kmodtool will already have all of what’s needed, correct me if I’m wrong) will be to create and enroll the secure boot keys, move them to the necessary folders and changing their permissions. Ubuntu does pretty much all of that in their installer if it detects a system using secure boot, prompting you to choose a password for the keys if you choose to install third-party drivers during install.

They already have all of what’s needed for it working, so what would it take to bring those steps to Fedora? Would that add a lot of work for the Anaconda team?

And the other half of it comes to the TPM2 chip.

  • One way of doing it is automatically doing all of the steps if the user chooses to encrypt the system with LUKS on install;

  • The other way would be to add a second checkbox that shows up if they choose LUKS on install for them to choose if they want to automatically decrypt it with the TPM2 chip or not.

The process behind the scenes looks relatively simple to automate, using systemd-cryptenroll, editing /etc/crypttab and then adding the /etc/dracut.conf.d/tss2.conf file in order for dracut to be able to generate a compatible initramfs (I hope I’m not using the wrong terms, I am certainly not technical enough).

I see this being more work on the back of mainly the guys behind the installer, but these would definitely make Fedora on par if not even better than Ubuntu and Microsoft when it comes to using these technologies for a more secure system and help it become more accessible to those with BIOSes with locked down options for Secure Boot.

1 Like