Leap 16 slow to open Full Disk Encryption TPM 2.0

Hi everyone,

I’m running tests on Leap 16 in a VM: UEFI, Full Disc Encryption and TPM 2.0. Loading shim happens instantly but it takes 20 seconds to unlock the disc. Is there any way to speed up the process? Is it due to the VM?

Thank you for your help!

https://en.opensuse.org/SDB:Encrypted_root_file_system#GRUB_level_decryption_at_boot_is_too_slow

I had read this page but I didn’t know if it applied to unlocking thanks to TPM. I’ll try, thank you!

Apparently when you create a full disk encryption, it uses three keys. On boot, the key in slot 1 is used to unlock the disc. I’ve tried sudo cryptsetup luksChangeKey --pbkdf-force-iterations 1000 --pbkdf pbkdf2 /dev/vda2. I enter the same passphrase that I used to protect the disc but slot 1 is unaffected. Is the key in slot 1 different from my passphrase?

I’ve done some testing. By default, the key in my VM in slot 0 has 4152776 iterations and it takes 58 seconds to unlock the disc. If I reduce it to 1000 iterations (the minimum allowed for pbkdf2), it takes 29 seconds to open. That’s a large decrease but I seriously hope that it doesn’t take 30 seconds to unlock a disc on a real computer!
I’m curious, why are there three three used key slots in a default FDE installation?

@frederic.mesplede Perhaps a read of how it’s done on Aeon?
https://github.com/AeonDesktop/Project/wiki/Encryption

I suspect it’s slow because TPM 2.0 is software emulation?

So I have Aeon on a Dell Micro 3080, only password I enter is to log into the Desktop…

systemd-analyze 
Startup finished in 7.423s (firmware) + 1.849s (loader) + 602ms (kernel) + 3.619s (initrd) + 7.444s (userspace) = 20.939s 
graphical.target reached after 7.444s in userspace.

fwupdmgr security
Host Security ID: HSI:1 (v2.0.16)

HSI-1
✔ BIOS firmware updates:         Enabled
✔ MEI key manifest:              Valid
✔ csme manufacturing mode:       Locked
✔ csme override:                 Locked
✔ csme v0:14.5.57.2316:          Valid
✔ Platform debugging:            Disabled
✔ SPI write:                     Disabled
✔ SPI lock:                      Enabled
✔ SPI BIOS region:               Locked
✔ Supported CPU:                 Valid
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled

HSI-2
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard:               Enabled
✔ Intel BootGuard OTP fuse:      Valid
✔ Intel BootGuard verified boot: Valid
✔ Intel GDS mitigation:          Enabled
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid
✘ BIOS rollback protection:      Disabled

HSI-3
✔ Intel BootGuard error policy:  Valid
✔ Pre-boot DMA protection:       Enabled
✘ CET Platform:                  Not supported
✘ Suspend-to-idle:               Disabled
✘ Suspend-to-ram:                Enabled

HSI-4
✔ SMAP:                          Enabled
✘ Encrypted RAM:                 Not supported

Runtime Suffix -!
✔ fwupd plugins:                 Untainted
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Encrypted
✔ Linux kernel:                  Untainted
✔ UEFI db:                       Valid

tpm2_getcap properties-fixed | grep TPM2_PT_REVISION -A2

TPM2_PT_REVISION:
  raw: 0x8A
  value: 1.38

Yes the TMP chip is emulated (CRB 2.0). @malcolmlewis Did you need to adjust the number of iterations to have a normal boot time?

@frederic.mesplede nope the Aeon install is the default (Slot 1). Now I have had to re-enroll a few times when I get firmware updates, likewise a few kernel boot issues, aside from that all works fine for me.

@malcolmlewis Did you follow these instructions to re-enroll the TPM chip?

@frederic.mesplede Nooo… https://github.com/AeonDesktop/Project/wiki/Advanced-Encryption#complete-re-enrollment-of-tpm2

I only used;

sdbootutil unenroll --method=tpm2
sdbootutil enroll --method=tpm2

@malcolmlewis Does this also apply to Leap 16?

@frederic.mesplede I don’t see why not?

@malcolmlewis I don’t know, the encryption may have been implemented differently.

Leap comes with grub2-efi by default.

@karlggest I switched to systemd-boot

https://en.opensuse.org/Systemd-boot

zypper in systemd-boot

cat /etc/sysconfig/bootloader | grep LOADER_TYPE
LOADER_TYPE="grub2-efi"

update-bootloader --loader systemd-boot
update-bootloader 

bootctl --make-machine-id-directory=yes install

Created "/boot/efi/EFI/systemd".
Created "/boot/efi/loader".
Created "/boot/efi/loader/keys".
Created "/boot/efi/loader/entries".
Created "/boot/efi/EFI/Linux".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
Created "/boot/efi/4970dd0ab4444d54af87cdc19c53ba11".
⚠️ Mount point '/boot/efi' which backs the random seed file is world accessible, which is a security hole! ⚠️
⚠️ Random seed file '/boot/efi/loader/.#bootctlrandom-seed65007f85732c04cd' is world accessible, which is a security hole! ⚠️
Random seed file /boot/efi/loader/random-seed successfully written (32 bytes).
Created EFI boot entry "Linux Boot Manager".

tree /boot/efi/
/boot/efi/
├── 4970dd0ab4444d54af87cdc19c53ba11
├── EFI
│   ├── Dell
│   │   └── logs
│   │       ├── diags_current.xml
│   │       └── diags_previous.xml
│   ├── Linux
│   ├── boot
│   │   ├── MokManager.efi
│   │   ├── bootx64.efi
│   │   └── fallback.efi
│   ├── opensuse
│   │   ├── MokManager.efi
│   │   ├── boot.csv
│   │   ├── grub.cfg
│   │   ├── grub.efi
│   │   ├── grubx64.efi
│   │   └── shim.efi
│   └── systemd
│       └── systemd-bootx64.efi
└── loader
    ├── entries
    ├── entries.srel
    ├── keys
    ├── loader.conf
    └── random-seed

12 directories, 15 files

efibootmgr
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0001,0000,0002
Boot0000* opensuse-secureboot	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(\EFI\opensuse\shim.efi)
Boot0001* Linux Boot Manager	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0002* UEFI: SCSI Hard Drive	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(EFI\boot\bootx64.efi)0000424f

mv /boot/efi/EFI/systemd/systemd-bootx64.efi /boot/efi/EFI/systemd/grub.efi
cp /usr/share/efi/x86_64/shim.efi /boot/efi/EFI/systemd/shim.efi
cp /usr/share/efi/x86_64/MokManager.efi /boot/efi/EFI/systemd/MokManager.efi

vi /etc/sysconfig/bootloader
update-bootloader
cat /etc/sysconfig/bootloader | grep LOADER_TYPE
LOADER_TYPE=""

efibootmgr --delete --label opensuse-secureboot
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0001,0002
Boot0001* Linux Boot Manager	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0002* UEFI: SCSI Hard Drive	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(EFI\boot\bootx64.efi)0000424f

efibootmgr --delete --label "Linux Boot Manager"
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0002
Boot0002* UEFI: SCSI Hard Drive	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(EFI\boot\bootx64.efi)0000424f

rm -r /boot/efi/EFI/opensuse

sdbootutil install
sdbootutil -v add-all-kernels
Installing all kernels
Found kernel 6.12.0-160000.5-default = 922982caac3cdd86efcdbea652fc602ffa0de26b
Installing kernel 6.12.0-160000.5-default
Generating new initrd
Required free space in ESP: 82030 KB
Installed /boot/efi/4970dd0ab4444d54af87cdc19c53ba11/6.12.0-160000.5-default/linux-922982caac3cdd86efcdbea652fc602ffa0de26b
Installed /boot/efi/4970dd0ab4444d54af87cdc19c53ba11/6.12.0-160000.5-default/initrd-0e736204a41de9ffe6ac9d56a60493b592d18594
Installed /boot/efi/loader/entries/4970dd0ab4444d54af87cdc19c53ba11-6.12.0-160000.5-default-1.conf

efibootmgr 
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0002
Boot0000* openSUSE Boot Manager (systemd-boot)	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(\EFI\systemd\shim.efi)
Boot0002* UEFI: SCSI Hard Drive	HD(1,GPT,d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf,0x800,0x800000)/File(EFI\boot\bootx64.efi)0000424f

bootctl 
System:
      Firmware: UEFI 2.70 (American Megatrends 5.15)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Measured UKI: no
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 257.7+suse.19.ga0dfd5de4c
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Multi-Profile UKIs are supported
               ✓ Boot loader set partition information
    Partition: /dev/disk/by-partuuid/d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf
       Loader: └─/EFI/systemd/grub.efi
Current Entry: 4970dd0ab4444d54af87cdc19c53ba11-6.12.0-160000.5-default-1.conf
Default Entry: opensuse-tumbleweed-6.16.8-1-default-1.conf <<=maybe a leftover from the previous install?

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf)
         File: ├─/EFI/systemd/grub.efi (systemd-boot 257.7+suse.19.ga0dfd5de4c)
               ├─/EFI/systemd/shim.efi
               ├─/EFI/systemd/MokManager.efi
               ├─/EFI/BOOT/BOOTX64.EFI
               ├─/EFI/BOOT/fallback.efi
               └─/EFI/BOOT/MokManager.efi

Boot Loaders Listed in EFI Variables:
        Title: openSUSE Boot Manager (systemd-boot)
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf
         File: └─/EFI/systemd/shim.efi

        Title: UEFI: SCSI Hard Drive
           ID: 0x0002
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf
         File: └─EFI/boot/bootx64.efi

Boot Loader Entries:
        $BOOT: /boot/efi (/dev/disk/by-partuuid/d8bcabbe-e3a0-4eef-aae4-e9ebf2dc9caf)
        token: 4970dd0ab4444d54af87cdc19c53ba11

Default Boot Loader Entry:
         type: Boot Loader Specification Type #1 (.conf)
        title: openSUSE Leap 16.0
           id: 4970dd0ab4444d54af87cdc19c53ba11-6.12.0-160000.5-default-1.conf
       source: /boot/efi//loader/entries/4970dd0ab4444d54af87cdc19c53ba11-6.12.0-160000.5-default-1.conf (on the EFI System Partition)
     sort-key: opensuse-leap
      version: 1@6.12.0-160000.5-default
   machine-id: 4970dd0ab4444d54af87cdc19c53ba11
        linux: /boot/efi//4970dd0ab4444d54af87cdc19c53ba11/6.12.0-160000.5-default/linux-922982caac3cdd86efcdbea652fc602ffa0de26b
       initrd: /boot/efi//4970dd0ab4444d54af87cdc19c53ba11/6.12.0-160000.5-default/initrd-0e736204a41de9ffe6ac9d56a60493b592d18594
      options: root=UUID=1c245532-54ec-4e68-9474-f1056924c174 nomodeset mitigations=auto quiet security=selinux selinux=1 intel_iommu=on rd.driver.blacklist=nouveau roo>

Well, grub2 uses 19 seconds to load, so maybe I’ll try to do the switch

Thank you very much for these lines!
I did it line by line on a fresh installed Leap-16 (grub2-efi) and it worked.

The encryption prompt is much nicer and it starts immediately after hitting enter (no delay at all).

Will grub2 always take ~20 seconds to load after a default Leap FDE installation?

Wasn’t this already answered with the link to the wiki in the very first comment?

I still want to know if the slowness is due to virtualisation of the TPM chip or grub2, if it can be solved the number of operations for TPM unlocking or not. I don’t unlock the disc thanks to a passphrase.