Setting up TPM2 for a LUKS2-encrypted root partitionSeptember 5, 2021
The problem (please don’t get into a keyboard group buy)
I was mildly content with entering my LUKS2 password every time I have to reboot my computer. Even though it is quite a complicated password, I got used to it; moreover, I rarely restarted anyway (at most once a day for important updates). However, I am facing a possibility of going without a keyboard for some days to some weeks (Nutshell: I ordered a custom keyboard kit and it’s on a boat somewhere, I had to gift my current keyboard before I get the kit delivered because the recipient is leaving the country). As I planned on using my laptop as a keyboard (using Barrier), I knew for sure any setup wouldn’t work if I am prompted for a decryption password.
First, I had to disable the lightdm greeter. I run i3 as a wm on top of lightdm, and it is superfluous to login that way, keyboard or no keyboard. Because we love privacy and we practice good opsec, I plan to turn it on once I reunite with a working keyboard for an extra layer of security which will prevent cold boot attacks (alternatively, use the key for the lock on my room).
To enable autologin in
/etc/lightdm/lightdm.conf, these two lines need to be
present under the
# /etc/lightdm/lightdm.conf [Seat:*] autologin-user=<username> autologin-user-timeout=0
After that, the group
autologin needs to be created, and the autologin user
added to it. In the shell:
$ sudo gpasswd -a lckdscl autologin $ sudo groupadd -r autologin
The default session must also be set in
~/.dmrc. For me, it contains just the
one line saying
Session=i3. Once all of that is done, then autologin is good
The Arch wiki knows everything
Did you know if I set a keyword shortcut on Librewolf to search the Arch wiki?
Anyhow, I looked through many guides for enabling TPM2 for Linux, and
unsurprisingly, nothing beats the information from
Arch wiki page. I needed to install
systemd-cryptenroll recognised my TPM2 device right away. I recommend
reading the wiki.
The information around adding kernel options so that systemd can mount root
after the decryption step is a bit confusing (in other news, brainlet got
filtered), so I went with making a
/etc/crypttab.initramfs file instead.
Essentially, we just want the path to be decrypted and which TPM device to use.
# /etc/crypttab.initramfs root /dev/vgcrypt/cryptroot - tpm2-device=auto
What about secure boot? Put a condom on.
I only registered to PCR0, which means TMP works if my BIOS signature is not modified. Since my kernel and bootloader, and kernel modules are not signed, I cannot use a PCR slot greater than that. Enabling secure boot would be a pain with some dkms modules. Maybe one day I will sit down and enable secure boot if I feel like it. With a kernel that implements rolling updates, I doubt I ever will get around to do this.
With TPM2 unlocking my drive pleasantly, I didn’t have the need for
and its themes. Plymouth is a package that adds a nice intermediary theme
instead of the boot information the kernel spits out in the tty before X kicks
in. I set the kernel on low verbosity and enable quiet options, so once the
computer turns on, I just have to wait about 20s until I can finally connect my
laptop to my desktop and type from there instead. Problem solved.