[Tutorial] Secureboot & Trusted Platform Module (TPM)

This guide aims to show how to modify an EOS installation to use secureboot and TPM.

Prerequisites:

  • EOS installation with encrypted root and using UEFI
  • TPM 2.0 module
  • This guide assumes no dual booting is present. It is possible, but outside the scope of this guide.
  • EOS live ISO installation media

Overview:

One can stop following this guide after each stage. Stopping before completing a stage may result in an unbootable machine.

In stage 1 a unified kernel image replaces the grub boot loader. The reason is that a unified kernel image can be easily signed for secureboot and that luks2 support is needed for TPM. Mkinitcpio is used to generate the unified kernel image. Efibootmgr is used to add the boot entry to the motherboard’s uefi firmware. As a bonus the boot process should now be significantly faster.

In stage 2 secureboot is configured using sbctl. New keys are generated and enrolled, microsoft keys are excluded if the hardware allows it, the unified kernel image is signed and secureboot enabled in the uefi setup utility. Sbctl comes with a pacman hook that automatically signes the image when the kernel gets updated.

In stage 3 TPM is configured using sytemd-cryptenroll. For this the luks1 encrypted root partition needs to be converted to luks2. After this stage there will be no password prompt when booting. When using a TPM, unlocking of the root partition is bound to the state of the TPM’s PCR registers. This is a trade-off between security and convenience and makes the machine more vulnerable to cold boot attacks.

Instructions:

/dev/block_deviceY is a placeholder for the root partition (commonly /dev/sda2 or /dev/nvme0n1p2)

Stage 1 unified kernel image

uninstall grub

pacman -Rs grub

delete content of efi system partition

rm -r /boot/efi/EFI

determine luks key slot N associated with keyfile used by grub

cryptsetup open -v --test-passphrase --disable-external-tokens /dev/block_deviceY --key-file /crypto_keyfile.bin

remove luks key slot N

cryptsetup luksKillSlot /dev/block_deviceY N

configure mkinitcpio

remove keyfile from /etc/mkinitcpio.conf

FILES=""

set hooks in /etc/mkinitcpio.conf

HOOKS=(base systemd keyboard autodetect sd-vconsole modconf block sd-encrypt filesystems fsck)

modify /etc/mkinitcpio.d/linux.preset . This instructs mkinitcpio to create a unified kernel image at /boot/efi/archlinux-linux.efi

ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"
ALL_microcode="/boot/*-ucode.img"

PRESETS=('default')

default_image="/boot/initramfs-linux.img"
default_efi_image="/boot/efi/archlinux-linux.efi"

create /etc/crypttab.initramfs . The UUID can be found with ls -l /dev/disk/by-uuid/ or in /etc/crypttab. Mkinitcpio will write the content of this file to /etc/crypttab in the initramfs. In early userspace this will cause the root partition to be unlocked and made available at /dev/mapper/root

root UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

set kernel commandline in /etc/kernel/cmdline

root=/dev/mapper/root rw quiet

regenerate mkinitcpio presets

mkinitcpio -P

delete the entry in /etc/crypttab . Otherwise the system might attempt to unlock root multiple times.

install efibootmgr

pacman -S efibootmgr

list boot entries

efibootmgr

delete boot entry for grub. XXXX is the id of the boot entry

efibootmgr -B -b XXXX

add boot entry. /dev/block_device is the disk (commonly /dev/sda or /dev/nvme0n1). X is the partition number of the efi system partition (commonly 1)

efibootmgr --disk /dev/block_device --part X --create --label "endeavouros" --loader /archlinux-linux.efi

Stage 2 secureboot

boot into the UEFI setup utility and enable secureboot setup mode. This process is different from device to device. The option should sound similar to

  • clear/delete keys/certificates
  • reset to setup mode

install sbctl

pacman -S sbctl

verify that setup mode is enabled

sbctl status

Installed:  	✗ sbctl is not installed
Setup Mode: 	✗ Enabled
Secure Boot:	✗ Disabled

create keys

sbctl create-keys

sbctl enroll-keys uses the TPM eventlog to check if option ROM firmware is part of the bootchain. If it is and microsoft certificates are not enrolled, enabling secureboot may brick the machine.

sbctl enroll-keys

to include microsoft certificates perform

sbctl enroll-keys --microsoft

sign the unified kernel image

sbctl sign -s /boot/efi/archlinux-linux.efi

boot into the UEFI setup utility and enable secureboot. Set a UEFI password.


Stage 3 TPM

boot into an EOS Live ISO. For this, secureboot needs to be temporarily disabled.

convert luks1 to luks2

cryptsetup convert --type luks2 /dev/block_deviceY

re-enable secureboot and boot into the EOS installation

install tpm2-tss

pacman -S tpm2-tss

enroll TPM to luks2 partition. --tpm2-pcrs=0+7 specifies which PCR registers state is bound to the unlocking of the root partition. In this case registers 0 and 7. A Table of PCR Definitions can be found here https://man.archlinux.org/man/systemd-cryptenroll.1 . Rerun this command if you knowingly caused the used PCR states to change.

systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 /dev/block_deviceY

modify /etc/crypttab.initramfs

root UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX - tpm2-device=auto

regenerate mkinitcpio presets

mkinitcpio -P

This created a new unified kernel image. Because this happened outside pacman the sbctl pacman hook did not run and the image needs to be manually signed

sbctl sign-all

Closing Thoughts:

  • Only one of many ways of setting up secureboot and TPM is shown here.
    • Dracut can replace Mkinitcpio.
    • Clevis can replace systemd-cryptenroll.
    • A different boot loader can be used.
    • Instead of enrolling user generated keys, a signed boot loader such as shim can be used. This might be preferable when dual booting windows but less secure.
  • Any questions or improvements to this guide are welcome.

links

efistub
https://wiki.archlinux.org/title/EFISTUB

kernel parameters
https://wiki.archlinux.org/title/Kernel_parameters#Parameter_list

mkinitcpio
https://wiki.archlinux.org/title/Mkinitcpio

dmcrypt
https://wiki.archlinux.org/title/Dm-crypt

dmcrypt system configuration
https://wiki.archlinux.org/title/Dm-crypt/System_configuration

dmcrypt device encryption
https://wiki.archlinux.org/title/Dm-crypt/Device_encryption

TPM
https://wiki.archlinux.org/title/Trusted_Platform_Module

persisten block device naming
https://wiki.archlinux.org/title/Persistent_block_device_naming

unified kernel image
https://wiki.archlinux.org/title/Unified_kernel_image

secureboot
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

Krin guide
https://wiki.archlinux.org/title/User:Krin/Secure_Boot,_full_disk_encryption,_and_TPM2_unlocking_install

sbctl option rom

6 Likes