You are not logged in.

#1 2024-07-17 22:25:50

mine_diver
Member
Registered: 2024-03-18
Posts: 33

LUKS with TPM2 and Secure Boot on GRUB?

Hello!

As a continuation from another topic here regarding whether or not I should bother with Secure Boot, I've decided that I, after all, should,
simply because the computer in question is a laptop (TP201SA), so it makes sense to take advantage of all the security measurements available.

I've already installed and safely stored the admin setup password, user setup password, HDD master password, and HDD user password,
and now, I'm already sitting on the Arch live USB preparing for the installation, CSM disabled and Secure Boot disabled until I sign everything properly.

However, I realized that the Arch Wiki LUKS + TPM2 + Secure Boot scenario only covers installation with systemd-boot,
which doesn't suit my case, since I want to also setup grub-btrfs later on to be able to boot into a btrfs snapshot if something goes wrong.

I haven't been able to find a good article on doing a setup like this on GRUB, so I'm here asking if it's possible to have the Wiki's scenario, but on GRUB.

Thanks!

Offline

#2 2024-07-18 05:27:36

-thc
Member
Registered: 2017-03-15
Posts: 583

Re: LUKS with TPM2 and Secure Boot on GRUB?

It's part of the GRUB article: https://wiki.archlinux.org/title/GRUB#S … ot_support.

The "CA Keys" method (a.k.a. "measured boot") needs the GRUB EFI binary and the kernel image to be signed.

Offline

#3 2024-07-18 08:24:47

mine_diver
Member
Registered: 2024-03-18
Posts: 33

Re: LUKS with TPM2 and Secure Boot on GRUB?

Thank you, but it seems like it only covers the binary signatures, not LUKS auto-unlock with TPM2,
or do I not see something?

Offline

#4 2024-07-18 08:48:21

progandy
Member
Registered: 2012-05-17
Posts: 5,220

Re: LUKS with TPM2 and Secure Boot on GRUB?

As far as I know, grub-btrfs is incompatible with TPM2-unlock. To choose the btrfs subvolume in grub, grub itself would have to unlock the luks partition. There is currently no support in grub to use the TPM for that I think.
Edit: There are patches to enable TPM unsealing, but they are not merged yet. OpenSUSE Tumbleweed carries the patches in their package for experimental support. https://en.opensuse.org/SDB:Encrypted_r … th_TPM_2.0

Maybe you can build something where the default boot option uses the linux kernel stored signed but unencrypted on the ESP and snapshoot boot requires entering the password.
Another thing to remember is that grub does not support all luks2 encryption schemes: https://wiki.archlinux.org/title/GRUB#LUKS2

Edit: Or maybe it could work if the kernel is always on the ESP, but I am not sure and that will cause problems if the snapshot has older kernel modules I think. In that case, grub is simply part of secure boot and the measuerd chain, the unlocking occurs as part of the initramfs startup the same as if you used systemd-boot or EFISTUB.

Last edited by progandy (2024-07-18 09:05:43)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2024-07-18 09:05:07

mine_diver
Member
Registered: 2024-03-18
Posts: 33

Re: LUKS with TPM2 and Secure Boot on GRUB?

progandy wrote:

To choose the btrfs subvolume in grub, grub itself would have to unlock the luks partition.

That's strange, I assumed it'd simply pass the "subvol" kernel parameter, which doesn't sound like it'd require unlocking luks.

Well, if GRUB is so problematic, can I just create a couple of additional systemd-boot boot entries for the latest btrfs snapshots and use those instead?
Or will a different "subvol" value actually make Secure Boot freak out no matter the bootloader?

Offline

#6 2024-07-18 09:12:14

progandy
Member
Registered: 2012-05-17
Posts: 5,220

Re: LUKS with TPM2 and Secure Boot on GRUB?

If your kernel is not part of the snapshot, then it is possible to simply pass the kernel parameters, but with btrfs snapshots you'd probably want the kernel inside the snapshot and then grub has to unlock the partition to get the kernel. Otherwise you will have problems with missing kernel modules or if your new kernel is the problem, then you cannot load the old one. I am not sure if grub-btrfs supports that fragile mode of operation.

With systemd-boot you can add subvol parameters but depending on your configuration of the TPM measurements, the complete kernel commandline is measured and you may be required to enter the password. So you can configure it to not complain, but those are also security considerations. Do you want to be able to boot an old, potentially exploitable version without entering a password?

Edit: Some ideas on how to use systemd-boot can be seen here: https://github.com/cscutcher/snapper_systemd_boot

Last edited by progandy (2024-07-18 09:15:57)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#7 2024-07-18 09:40:58

mine_diver
Member
Registered: 2024-03-18
Posts: 33

Re: LUKS with TPM2 and Secure Boot on GRUB?

I do want the kernel to be a part of the snapshot.
The idea is that I'll have root, var, and home subvolumes, and root will have read-only snapshots on each pacman transaction,
so I can boot into a previous state of the system in case something breaks without a live USB.

And yeah, it totally makes sense to enter a password when booting snapshots.

I suppose though I can't really use snapper in this case, since the snapshots will have to be "moved" each time a new one is created.

Edit: I think for now I'll just proceed with the Wiki LUKS + TPM2 + Secure Boot scenario,
since setting up snapshots can be done post-install.

Last edited by mine_diver (2024-07-18 09:58:17)

Offline

#8 2024-07-18 15:01:11

mine_diver
Member
Registered: 2024-03-18
Posts: 33

Re: LUKS with TPM2 and Secure Boot on GRUB?

Got stuck on "Finalizing the installation". For some reason, only the root btrfs subvolume (@) got auto-mounted.

Do I have to put the other subvolumes into fstab?

Edit: generating fstab with the missing subvolumes worked! Proceeding on...

Last edited by mine_diver (2024-07-18 15:55:53)

Offline

#9 2024-07-18 20:08:49

mine_diver
Member
Registered: 2024-03-18
Posts: 33

Re: LUKS with TPM2 and Secure Boot on GRUB?

It's done! big_smile

I finally have full disk encryption with Secure Boot and TPM unlock. Only took the entire day...

My btrfs layout allows for isolated root snapshots, so I'll leave this unsolved until I find a solution
(or someone answers here) to properly boot into btrfs snapshots from signed systemd-boot.

Offline

Board footer

Powered by FluxBB