SDB Talk:LUKS2, TPM2 and FIDO2

Jump to: navigation, search

Hi, I did it for unencrypted boot partition. But how can I check if TPM really works? thx.

/etc/grub.d/00_header

Modifying /etc/grub.d/00_header may cause issues when upgrading the grup package as it's %config(noreplace). It might be smarter to echo "GRUB_PRELOAD_MODULES=tpm" >> /etc/default/grub

/etc/grub.d/00_header 2nd

--Akrupp (talk) 17:07, 14 October 2023 (UTC)

Instead of modifying 00_header: just enable "Trusted Boot" in "yast2 bootloader". Works on 15.5. The option is available in earlier releases, too. After reboot enroll the TPM measurements: 

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=2+4+7+8+9 $DEVICE

Reboot. Root should be decrypted via TPM.

Test: 

echo >> /boot/grub2/grub.cfg

Reboot. You will be asked for a password.

Open Questions

  1. With "Trusted Boot", if it does fail, is there any option to display which measurement failed?
  2. Updating a "Trusted Boot"-Machine with inaccessible console (e.g. remote): Is there a way to avoid the password entry at boot after an update?
Retrieved from "https://en.opensuse.org/index.php?title=SDB_Talk:LUKS2,_TPM2_and_FIDO2&oldid=179906"