pimeys, Thank you for the TPM2 #NixOS article @jnsgruk. I decided to give it a go last weekend, and it was a bit longer process than 10 minutes. For anybody who struggle to get rid of the password prompt for the LUKS volume, this setting is essential:
boot.initrd.systemd.enable = true;
The initrd must have systemd installed, so the settings defined with
systemd-cryptenroll
are available during the boot. Alternative way is to use Clevis to encrypt the LUKS password using the TPM module, and invoke it during boot. This is not super complex either, but I kind of like the systemd approach more.Also the article didn’t mention much about the different PCR ids you can use with TPM. These define the system state when a secret key can be accessed from the TPM module. If any of the policies trigger, the TPM module will not output any secrets and the user needs to enter the LUKS password. The article uses three policies:
- 0: firmware updates
- 2: extended ROMs from pluggable hardware (e.g. USB)
- 7: secure boot disabled, or firmware certificates update
Additionally, one policy is needed to ensure an attacker cannot boot the system to a single user mode from the bootloader:
- 12: kernel config change, e.g. changing the boot parameters.
It is important to wipe the old slots with
systemd-cryptenroll
when changing the PCRs. Changing them is additional, and doesn’t modify the existing policies.Edit: and do not wipe the password slot! This will render your disk unbootable.
Add comment