Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Configure LUKS auto-unlocking with TPM2

Guide for setting up auto-unlocking LUKS2 volumes on boot with a TPM2 chip

Resources used : jdoss’s guide - uapi-group - ArchWiki - FreeDesktop - AskUbuntu - tpm2-tools readthedocs

IF YOU HAVE MULTIPLE TPM DEVICES, SPECIFY THE TPM TO BE USED BY ENTERING THE FULL PATH TO THE TPM DEVICE (/dev/<TPM2_DEVICE>) IN --tpm2-device= DURING ENROLL

UNPLUG ANY BOOTABLE EXTERNAL STORAGE DEVICES OR INSTALL MEDIA AND REBOOT BEFORE ENROLLING TPM AUTOUNLOCK

NEED TO BE RE-ENROLLED AFTER SECUREBOOT DBX AND UEFI FIRMWARE UPDATES

Check if everything is setup correctly

  • See which volume(s) are LUKS encrypted
sudo blkid -t TYPE=crypto_LUKS
  • See whether secureboot is enabled
sudo mokutil --sb-state
  • See available TPM devices
sudo systemd-cryptenroll --tpm2-device=list

Clear the TPM chip

  • Either use PPI Reset via UEFI firmware options.
  • Or run the following commands to initiate a PPI reset through linux. (Recommended)
sudo sh
echo 5 > /sys/class/tpm/tpm0/ppi/request
  • Reboot to finish the PPI reset
systemctl reboot

Enroll TPM2 to LUKS

  • Enroll the LUKS volumes
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=1+5+7 <LUKS_Volume>
  • Enroll a recovery key (QR Code)
sudo systemd-cryptenroll --recovery-key <LUKS_Volume>
  • Reboot to see whether it worked
systemctl reboot

Remove TPM2 from LUKS

  • Disable TPM autounlock
sudo systemd-cryptenroll --wipe-slot=tpm2 <LUKS_Volume>

Description of the TPM PCRs (in linux)

  • PCR 1 - Hardware configuration was changed (Changing/Adding/Removing RAM/CPU/GPU etc)
  • PCR 5 - GPT Partition Table was changed (Creating/Deleting/Modifying partitions)
  • PCR 7 - Changes to UEFI Secureboot State

These values require systemd-boot and/or UKIs:

  • PCR 14 - Changes to Secureboot “MOK” certificates and keys (Enrolling new Secureboot keys)
  • PCR 15 - Changes to machine-id, UUIDs of various mountpoints, other systemd measurements (Mitigation for this ???)

Ignore the section below, it’s a scratchpad

(TODO, EXPERIMENTAL) Recalculate PCR values after modification/update

  • IF THE SYSTEM ASKS FOR A PASSWORD AFTER AN UPDATE, YOU NEED TO UPDATE THE PCR PREDICTIONS
  • SCRATCH THAT, THIS WONT WORK WITUOUT SD-BOOT AND UKIS
  • Recalculate the PCRs manually.
sudo systemd-pcrlock predict
sudo systemd-pcrlock make-policy
  • Enable a service that does thiws automatically on every shutdown/boot.
systemctl enable systemd-pcrlock-make-policy.service

(UNSURE WHAT TO DO WITH THIS) Take Ownership and lock the TPM2 chip

  • Set Owner, Endorsement and Lockout passwords to ensure they can’t be changed by unauthorized parties. (You need to remove the locks everytime you need to re-enroll the TPM)
tpm2_changeauth -c owner newpass
tpm2_changeauth -c endorsement newpass
tpm2_changeauth -c lockout newpass