lckdscl's site

Setting up TPM2 for a LUKS2-encrypted root partition

September 5, 2021

The problem (please don’t get into a keyboard group buy)

I was mildly content with entering my LUKS2 password every time I have to reboot my computer. Even though it is quite a complicated password, I got used to it; moreover, I rarely restarted anyway (at most once a day for important updates). However, I am facing a possibility of going without a keyboard for some days to some weeks (Nutshell: I ordered a custom keyboard kit and it’s on a boat somewhere, I had to gift my current keyboard before I get the kit delivered because the recipient is leaving the country). As I planned on using my laptop as a keyboard (using Barrier), I knew for sure any setup wouldn’t work if I am prompted for a decryption password.

Enabling autologin

First, I had to disable the lightdm greeter. I run i3 as a wm on top of lightdm, and it is superfluous to login that way, keyboard or no keyboard. Because we love privacy and we practice good opsec, I plan to turn it on once I reunite with a working keyboard for an extra layer of security which will prevent cold boot attacks (alternatively, use the key for the lock on my room).

To enable autologin in /etc/lightdm/lightdm.conf, these two lines need to be present under the [Seat] option:

# /etc/lightdm/lightdm.conf

[Seat:*]
autologin-user=<username>
autologin-user-timeout=0

After that, the group autologin needs to be created, and the autologin user added to it. In the shell:

$ sudo gpasswd -a lckdscl autologin
$ sudo groupadd -r autologin

The default session must also be set in ~/.dmrc. For me, it contains just the one line saying Session=i3. Once all of that is done, then autologin is good to go.

The Arch wiki knows everything

Did you know if I set a keyword shortcut on Librewolf to search the Arch wiki?

Anyhow, I looked through many guides for enabling TPM2 for Linux, and unsurprisingly, nothing beats the information from this Arch wiki page. I needed to install tpm2-tools, tpm2-tss, tpm2-abrmd. Then systemd-cryptenroll recognised my TPM2 device right away. I recommend reading the wiki.

The information around adding kernel options so that systemd can mount root after the decryption step is a bit confusing (in other news, brainlet got filtered), so I went with making a /etc/crypttab.initramfs file instead. Essentially, we just want the path to be decrypted and which TPM device to use. Here’s mine:

# /etc/crypttab.initramfs
root	/dev/vgcrypt/cryptroot	-	tpm2-device=auto

What about secure boot? Put a condom on.

I only registered to PCR0, which means TMP works if my BIOS signature is not modified. Since my kernel and bootloader, and kernel modules are not signed, I cannot use a PCR slot greater than that. Enabling secure boot would be a pain with some dkms modules. Maybe one day I will sit down and enable secure boot if I feel like it. With a kernel that implements rolling updates, I doubt I ever will get around to do this.

Goodbye Plymouth

With TPM2 unlocking my drive pleasantly, I didn’t have the need for plymouth and its themes. Plymouth is a package that adds a nice intermediary theme instead of the boot information the kernel spits out in the tty before X kicks in. I set the kernel on low verbosity and enable quiet options, so once the computer turns on, I just have to wait about 20s until I can finally connect my laptop to my desktop and type from there instead. Problem solved.