You are not logged in.
Pages: 1
Hi,
Does anyone have a working setup, which is described in Encrypted boot partition (GRUB), but with a modification so that GRUB would read the decryption key for /boot directory from TPM 1.2? (Like described e.g. here - which is however used in a later stage within initramfs, hence leaving /boot files unencrypted.)
--
Milan Knizek
http://knizek.net
Offline
I can't help you in detail, but a small little piece of information that might help you: The encrypt hook (not sd-encrypt!) does read "/crypto_keyfile.bin" by default and tries to unlock using this file. So while I don't know the exact syntax you could create a new hook like this:
/etc/initcpio/hooks/decrypt-tpm
#!/bin/sh
run_hook() {
modprobe -a tpm
tcsd
tpm_nvread -i $INDEX -f /crypto_keyfile.bin
}/etc/initcpio/install/decrypt-tpm
#!/bin/sh
build() {
local mod
add_module(tpm)
add_binary(tpm_nvread)
add_binary(tcsd)
add_runscript
}Fill in the blanks, update the paths and place the hook right before encrypt in your "/etc/mkinitcpio.conf".
Unfortunately I can't help you much further, because I only have it running using a signed EFI Linux image with TPM2, so my working setup differs quite a bit.
Offline
Pages: 1