Hey, I’m having trouble setting up secure boot and TPM backed decryption with Endeavour OS Titan with systemd-boot. The only guides I found used mkinitcpio and Endeavour OS currently uses dracut. If someone could source a guide on how to do this it would be greatly appreciated.
Welcome to team purple! ![]()
The ArchWiki has a good guide on secure boot and it’s what I followed to set up secure boot on my EnOS install. The key points for my install was deleting the existing keys and putting the UEFI in setup mode (scary), and using SBCTL to do all the heavy work. Read through the guide at least twice before doing the steps that apply to your system.
I don’t have encryption, so can’t comment on that.
Also Secure boot and TPM is just an Microsoft “invention” to track and secure what thy want.
No need for it in Linux.
Secure Boot only offer some extra security for some rare scenarios.
Thought I’d come back here to publish guides on how to enable secure boot and TPM backed decryption. For clarification I use secure boot alongside TPM backed decryption to ensure my data is secure if intercepted while not having the inconvenience of typing in a long passphrase.
Secure Boot
Prerequisites
systemd-bootdracut- EndeavourOS installed with secure boot disabled
- Secure boot in setup mode
sbctlinstalled
If not in setup mode, go in UEFI BIOS and enable it. This is usually done by clearing the current secure boot keys.
If in EndeavourOS this can be easily done with this command:
systemctl reboot --firmware-setup
Install required packages:
sudo pacman -S sbctl
Enabling secure boot
Ensure secure boot is in setup mode:
sbctl status
Create keys for secure boot:
sudo sbctl create-keys
Enroll keys with Microsoft keys (-m) to avoid system brick unless absolutely sure no Microsoft keys are required:
sudo sbctl enroll-keys -m
To list all signable files:
sudo sbctl verify
Sign the following files of the bootloader:
sudo sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
sudo sbctl sign -s /efi/EFI/Boot/bootx64.efi
Note: the paths and/or exact names of the .efi files may differ. If so simply correct the commands above.
With the current behaviour of EndeavourOS, the kernels should NOT be verified, with sbctl sign but should automatically be signed when using reinstall-kernels.
sudo reinstall-kernels
Now simply reboot into firmware and enable secure boot:
systemctl reboot --firmware-setup
EndeavourOS with all kernel options and the bootloader should now boot as intended with secure boot enabled.
TPM Backed Decryption
Prerequisites
dracut- Secure boot enabled system
Check which partition is encrypted:
lsblk
Output:
NAME MAJ:MIN RM SIZE RO TYPE
nvme0n1 259:0 0 931.5G 0 disk
├─nvme0n1p1 259:1 0 2G 0 part /efi
├─nvme0n1p2 259:2 0 16M 0 part
├─nvme0n1p3 259:3 0 728.7G 0 part
├─nvme0n1p4 259:4 0 200G 0 part
│ └─luks-<UUID> 253:0 0 200G 0 crypt /
└─nvme0n1p5 259:5 0 811M 0 part
In this case /dev/nvme0n1p4 is our encrypted partition.
Verify LUKS2 (not LUKS1) is in use:
sudo cryptsetup luksDump /dev/nvme0n1p4 | grep Version
Output:
Version: 2
Verify TPM2 device is available:
systemd-cryptenroll --tpm2-device=list
Output:
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crb
Setting Up Automatic TPM2 Backed Decryption
Install required packages:
sudo pacman -S tpm2-tss tpm2-tools
Configure Dracut:
Create this config file:
sudo nano /etc/dracut.conf.d/tpm.conf
Add this line:
add_dracutmodules+=" tpm2-tss "
Create another config file:
sudo nano /etc/dracut.conf.d/cryptsetup.conf
Add this line:
install_items+=" /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so "
This fixes the missing TPM2 token library.
Modify Crypttab:
sudo nano /etc/crypttab
And modify like this to include tpm2-device=auto:
luks-<UUID> UUID=<UUID> none luks,tpm2-device=auto
Enroll the TPM2 key:
Note : Replace /dev/nvme1n1p4 with your partition.
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme1n1p4
Output:
🔐 Please enter current passphrase for disk /dev/nvme0n1p4: ****
New TPM2 token enrolled as key slot 1.
PCR Explanation:
- PCR 0: UEFI firmware code
- PCR 7: Secure Boot state
You may choose to add more PCRs but keep in mind some PCRs will trigger constantly due to updates and Arch’s rolling release.
Verify enrollment:
sudo systemd-cryptenroll /dev/nvme0n1p4
Output:
SLOT TYPE
0 password
1 tpm2
Regenerate initramfs and reboot:
sudo dracut -f
Then:
sudo reboot
EndeavourOS should not request a passphrase to decrypt. If for some reason a PCR fails keep your passphrase handy as as backup.