I’m testing MicroOS and I still don’t really know what I can do and what I can’t.
I would like to be able to unlock my LUKS volumes on boot using TPM 2.0 and thus not have to enter the password manually. There are 2 methods to do this: systemd-cryptenroll and clevis.
-
systemd-cryptenroll requires to modify /etc/crypttab. I think it is not possible to modify this file using MicroOS. Does anyone know how to do it?
-
Clevis uses commands similar to these:
sudo clevis luks bind -d /dev/sda2 tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}'
sudo dracut -fv --regenerate-all
I think the clevis method could work. Someone has tried? I’m thinking of doing it in a virtual machine.
PS: I know that MicroOS implements remote attestation, but I would like to make it local, and without relying on third parties.
References:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#configuring-manual-enrollment-of-volumes-using-tpm2_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption
https://kowalski7cc.xyz/blog/luks2-tpm2-clevis-fedora31
https://wiki.archlinux.org/title/Trusted_Platform_Module
http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html