You are not logged in.

#1 2019-08-25 17:16:03

MilanKnizek
Member
Registered: 2005-12-13
Posts: 88

Encrypted GRUB /boot with key from TPM?

Hi,
Does anyone have a working setup, which is described in Encrypted boot partition (GRUB), but with a modification so that GRUB would read the decryption key for /boot directory from TPM 1.2? (Like described e.g. here - which is however used in a later stage within initramfs, hence leaving /boot files unencrypted.)


--
Milan Knizek
http://knizek.net

Offline

#2 2019-09-10 21:38:55

Swiggles
Member
Registered: 2014-08-02
Posts: 266

Re: Encrypted GRUB /boot with key from TPM?

I can't help you in detail, but a small little piece of information that might help you: The encrypt hook (not sd-encrypt!) does read "/crypto_keyfile.bin" by default and tries to unlock using this file. So while I don't know the exact syntax you could create a new hook like this:

/etc/initcpio/hooks/decrypt-tpm

#!/bin/sh

run_hook() {
    modprobe -a tpm
    tcsd
    tpm_nvread -i $INDEX -f /crypto_keyfile.bin
}

/etc/initcpio/install/decrypt-tpm

#!/bin/sh

build() {
    local mod

    add_module(tpm)
    add_binary(tpm_nvread)
    add_binary(tcsd)

    add_runscript
}

Fill in the blanks, update the paths and place the hook right before encrypt in your "/etc/mkinitcpio.conf".
Unfortunately I can't help you much further, because I only have it running using a signed EFI Linux image with TPM2, so my working setup differs quite a bit.

Offline

Board footer

Powered by FluxBB