User talk:Krin/Secure Boot, full disk encryption, and TPM2 unlocking install

First of all, I wanted to say thanks for this install guide. It was my first time installing Arch, and it all went very smoothly. Since then, I have encountered a few minor issues that you might be interested to fix in your guide. My setup is Linux only, so I didn't checked the dual-boot configuration with Windows situation, but I believe that it would occur as well.

Kernel update issue

I encountered an issue after the installation, when upgrading the kernel, because sbctl had the kernel file enrolled in its list of files to sign automatically. The problem is that new kernel will have a different name, and the command sbctl sign-all will fail. I don't recall exactly what happened next, but I think it messed up with the other pacman hooks, and everything wasn't properly signed, so the next boot of the system failed. Removing the flag -s when signing the kernel image during the setup fixes this issue:

# sbctl sign /efi/EFI/Linux/linux-5.14.8-arch1-1-df10c5e79c5444b78ef1b154eef3ca32-rolling.efi 

It should be enough for signing it once during the setup, and have a valid boot chain. Later updates of the kernel should be automatically signed by dracut, so it shouldn't be a problem not to have it enrolled with sbctl.

Bootloader hook bug

I encountered bugs when updating the bootloader, but I don't recall if it was there since the beginning or not. What happens is that the Exec fields of the systemd-boot hook doesn't recognize the semicolumn at the end of the line, and the command fails. Updating as below (only removing the semicolumn) fixed my problem:

/etc/pacman.d/hooks/998-systemd-boot.hook

[Trigger]
Type = Package
Operation = Install
Operation = Upgrade
Target = systemd

[Action]
Description = Updating systemd-boot
When = PostTransaction
Exec = /usr/bin/bootctl update

Enrolling Luks keys in TPM with systemd 250

Enrolling Luks keys in the TPM worked perfectly well under systemd 249 (which was used for the guide, and when I installed). But it got updated recently to systemd 250 and TPM handling got some rework. It needs to have access to the TPM shared library at the location /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so, but dracut doesn't embed it. An issue has been created here [1], and a pull request has been made. I believe it should be fixed in the next release of dracut, but before it happens, a fix can be done easily by modifying:

/etc/dracut.conf.d/tpm2-tss.conf

add_dracutmodules+=" tpm2-tss "
install_items+=" /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so "

That's all on what I encountered. Once again, thanks for creating this guide!

Just thought I'd point out that if you're dualbooting windows, the process of signing/generating/enrolling keys can be exactly the same as Linux-only, just that when you run `sbctl enroll-keys` you should include the `-m`/`--microsoft` option

Rhysperry111 (talk) 12:24, 31 August 2022 (UTC)Reply[reply]

Per the note here Trusted_Platform_Module#systemd-cryptenroll, you can use a PIN in combination with TPM to unlock the root LUKS container.

Note: As of systemd 251 it is now possible to require a PIN to be entered in addition to the TPM state being correct. Simply add the option --tpm2-with-pin=yes to the command above and enter the PIN when prompted.

This should mitigate security risks of automatic unlocking with plain TPM, while still allowing a quick unlock without having to type in a complex password, and still requiring a fallback to the full password if (as you say) "something spooky happens in your boot path."

Xgjmibzr (talk) 04:18, 4 September 2022 (UTC)Reply[reply]