TPM2 / Systemd / LUKS

mek · October 4, 2023, 10:00pm

Hi!

Cool, I noticed that recently TPM2 must have been added to systemd. I did not see much discussion or info around it, where could I find some info about the reason or future vision of this change?

I would like to set up a system with an encrypted drive, auto unlocking via TPM2 / Systemd.
Is there some info on how to set up such an environment?

One thing I currently wonder about is if I have to create a new initrd. But there I struggle on how this
should look like on clear linux with the EFI boot partition / clr-boot-manager / dracut and such.

# date
Wed Oct  4 09:53:13 PM UTC 2023
# swupd info
Distribution:      Clear Linux OS
Installed version: 40050
Version URL:       https://cdn.download.clearlinux.org/update
Content URL:       https://cdn.download.clearlinux.org/update

# systemctl --version
systemd 252 (252)
+PAM +AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 -IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK -PCRE2 +PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 -LZ4 -XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=hybrid

mek · October 29, 2023, 12:09pm

@ahkok @pixelgeek any input on that?

I managed at least to auto unlock a non root partition via tpm, but till now I did not manage to do it with the root partition. When I look at other distris guides it points to the initrd and dracut. But looking in
What is the best practice to customize initrd? it seems to point that features should be solved central.

What is needed / missing to get luks2 root auto unlock on boot with tpm2 going?

btwarden · October 30, 2023, 3:22pm

Have you already added the bundle bootloader-extras? It adds an initrd we’ve already created. See GitHub - clearlinux/clr-init: Initrd created using systemd as init program for more details.