I thought id post my way of getting LMDE6 + TPM2.0 with Secure Boot enabled in bios.
My goal with this was to get TPM to unlock my FDE and take me directly to login-screen as a convenience to not have to type in a very long password each boot.
This is what i did:
I first installed LMDE6 with LUKS encryption from a live USB with the LMDE6 installer/liveOS.
I have one M.2 drive wich i let installation take full use of and make the encrypted partitions for me automatically.
Im not intending to dualboot or anything like that. Im only using LMDE6.
Made sure my data is backed up and my TPM is cleared before i start.
When installation is done, i reboot into my newly installed system typing in my very long password and when inside my system i update all the packages in the system before i start.
then i install these 2 packages, last time when i tried without tpm2-abrmd it wouldnt work for some reason and wouldnt auth for me.
sudo apt install tpm2-abrmd
sudo apt install tpm2-tools
reboot pc
Below within the 3 first commands it will ask for an encryption password, i use the same password for the encryption as i used during the installer.
Define TPM2 memory space to hold the key:
This command will define a 64 bit memory space in TPM2, at the above mentioned address
sudo tpm2_nvdefine -s 64 0x1500016
Create a random 64 bit key file:
sudo cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | head -c 64 > root.key
Save the contents of the key file to TPM2:
sudo tpm2_nvwrite -i root.key 0x1500016
compare the contents of root.key with tpm2_nvread 0x1500016
it should be the exact same
cat root.key
sudo tpm2_nvread 0x1500016
Identify the encrypted device, and add the key to the LUKS:
lsblk
dentify the owner of 'crypt'.
/dev/nvme01p3 is the one in my machine.
Create getkey file
sudo pico /usr/local/sbin/tpm2-getkey
containing
Code: Select all
#!/bin/sh
if [ -f ".tpm2-getkey.tmp" ]; then
# tmp file exists, meaning we tried the TPM this boot, but it didn’t work for the drive and this must be the second
# or later pass for the drive. Either the TPM is failed/missing, or has the wrong key stored in it.
/lib/cryptsetup/askpass "Automatic disk unlock via TPM failed for \$CRYPTTAB_SOURCE (\$CRYPTTAB_NAME) Enter passphrase: "
exit
fi
# No tmp, so it is the first time trying the script. Create a tmp file and try the TPM
touch .tpm2-getkey.tmp
tpm2_nvread 0x1500016
EOF
sudo chown root: /usr/local/sbin/tpm2-getkey
sudo chmod 750 /usr/local/sbin/tpm2-getkey
Create a hook script to initramfs:
sudo pico /etc/initramfs-tools/hooks/tpm2-decryptkey
containing
Code: Select all
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case \$1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec `which tpm2_nvread`
copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0.0.0
copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0
copy_exec /lib/cryptsetup/askpass
exit 0
EOF
sudo chown root: /etc/initramfs-tools/hooks/tpm2-decryptkey
sudo chmod 755 /etc/initramfs-tools/hooks/tpm2-decryptkey
First – backup your existing crypttab file:
sudo cp /etc/crypttab /etc/crypttab.backup
Edit crypttab:
The file /etc/crypttab needs to have an entry added at the end of the line containing the boot volume.
default on my machine it looks like
Code: Select all
# <target name> <source device> <key file> <options>
lvmlmde UUID=7fbb9b0d-b2ec-4b8b-ab85-ea0556dbc077 none luks,discard,tries=3
Code: Select all
lvmlmde UUID=7fbb9b0d-b2ec-4b8b-ab85-ea0556dbc077 none luks,discard,tries=3,keyscript=/usr/local/sbin/tpm2-getkey
sudo cp /boot/initrd.img-$(uname -r) /boot/initrd.img-$(uname -r).orig
sudo mkinitramfs -o /boot/initrd.img-$(uname -r) $(uname -r)
reboot pc!
I can now delete the above used root.key from my home folder.
hope it helps someone out there!