Enabling secure boot and TPM backed decryption

Hey, I’m having trouble setting up secure boot and TPM backed decryption with Endeavour OS Titan with systemd-boot. The only guides I found used mkinitcpio and Endeavour OS currently uses dracut. If someone could source a guide on how to do this it would be greatly appreciated.

Welcome to team purple! :purple_heart:

The ArchWiki has a good guide on secure boot and it’s what I followed to set up secure boot on my EnOS install. The key points for my install was deleting the existing keys and putting the UEFI in setup mode (scary), and using SBCTL to do all the heavy work. Read through the guide at least twice before doing the steps that apply to your system.

I don’t have encryption, so can’t comment on that.

Also Secure boot and TPM is just an Microsoft “invention” to track and secure what thy want.

No need for it in Linux.

Secure Boot only offer some extra security for some rare scenarios.

Thought I’d come back here to publish guides on how to enable secure boot and TPM backed decryption. For clarification I use secure boot alongside TPM backed decryption to ensure my data is secure if intercepted while not having the inconvenience of typing in a long passphrase.

Secure Boot

Prerequisites

  • systemd-boot
  • dracut
  • EndeavourOS installed with secure boot disabled
  • Secure boot in setup mode
  • sbctl installed

If not in setup mode, go in UEFI BIOS and enable it. This is usually done by clearing the current secure boot keys.

If in EndeavourOS this can be easily done with this command:

systemctl reboot --firmware-setup

Install required packages:

sudo pacman -S sbctl

Enabling secure boot

Ensure secure boot is in setup mode:

sbctl status

Create keys for secure boot:

sudo sbctl create-keys

Enroll keys with Microsoft keys (-m) to avoid system brick unless absolutely sure no Microsoft keys are required:

sudo sbctl enroll-keys -m

To list all signable files:

sudo sbctl verify

Sign the following files of the bootloader:

sudo sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
sudo sbctl sign -s /efi/EFI/Boot/bootx64.efi

Note: the paths and/or exact names of the .efi files may differ. If so simply correct the commands above.

With the current behaviour of EndeavourOS, the kernels should NOT be verified, with sbctl sign but should automatically be signed when using reinstall-kernels.

sudo reinstall-kernels

Now simply reboot into firmware and enable secure boot:

systemctl reboot --firmware-setup

EndeavourOS with all kernel options and the bootloader should now boot as intended with secure boot enabled.

TPM Backed Decryption

Prerequisites

  • dracut
  • Secure boot enabled system

Check which partition is encrypted:

lsblk

Output:

NAME                 MAJ:MIN RM   SIZE RO TYPE  
nvme0n1              259:0    0 931.5G  0 disk  
├─nvme0n1p1          259:1    0     2G  0 part  /efi
├─nvme0n1p2          259:2    0    16M  0 part  
├─nvme0n1p3          259:3    0 728.7G  0 part  
├─nvme0n1p4          259:4    0   200G  0 part  
│ └─luks-<UUID>      253:0    0   200G  0 crypt /
└─nvme0n1p5          259:5    0   811M  0 part  

In this case /dev/nvme0n1p4 is our encrypted partition.

Verify LUKS2 (not LUKS1) is in use:

sudo cryptsetup luksDump /dev/nvme0n1p4 | grep Version

Output:

Version:        2

Verify TPM2 device is available:

systemd-cryptenroll --tpm2-device=list

Output:

PATH        DEVICE      DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crb

Setting Up Automatic TPM2 Backed Decryption

Install required packages:

sudo pacman -S tpm2-tss tpm2-tools

Configure Dracut:

Create this config file:

sudo nano /etc/dracut.conf.d/tpm.conf

Add this line:

add_dracutmodules+=" tpm2-tss "

Create another config file:

sudo nano /etc/dracut.conf.d/cryptsetup.conf

Add this line:

install_items+=" /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so "

This fixes the missing TPM2 token library.

Modify Crypttab:

sudo nano /etc/crypttab

And modify like this to include tpm2-device=auto:

luks-<UUID> UUID=<UUID>     none luks,tpm2-device=auto

Enroll the TPM2 key:

Note : Replace /dev/nvme1n1p4 with your partition.

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme1n1p4

Output:

🔐 Please enter current passphrase for disk /dev/nvme0n1p4: ****
New TPM2 token enrolled as key slot 1.

PCR Explanation:

  • PCR 0: UEFI firmware code
  • PCR 7: Secure Boot state

You may choose to add more PCRs but keep in mind some PCRs will trigger constantly due to updates and Arch’s rolling release.

Verify enrollment:

sudo systemd-cryptenroll /dev/nvme0n1p4

Output:

SLOT TYPE
   0 password
   1 tpm2

Regenerate initramfs and reboot:

sudo dracut -f

Then:

sudo reboot

EndeavourOS should not request a passphrase to decrypt. If for some reason a PCR fails keep your passphrase handy as as backup.