Assistance needed with FDE + TPM

Hello,

Can someone please help me setup FDE with TPM on Garuda?
I am using TPM2.0 and enrolled for FDE during install of the OS with the default partition setup. I tried following the below article, but I am literally stuck at this point "regenerate initramfs and the EFI image and reboot your system." Additionally I tried to follow the arch wiki for "Trusted Platform Module", but the information is scarce for the noob level I'm on.
Full Disk Encryption on Arch Linux backed by TPM 2.0

Edit: The idea is to boot automatically without the prompt for encryption password.

This is the result of trying to follow the archwiki

lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
zram0 253:0 0 1,7G 0 disk [SWAP]
zram1 253:1 0 1,7G 0 disk [SWAP]
zram2 253:2 0 1,7G 0 disk [SWAP]
zram3 253:3 0 1,7G 0 disk [SWAP]
zram4 253:4 0 1,7G 0 disk [SWAP]
zram5 253:5 0 1,7G 0 disk [SWAP]
zram6 253:6 0 1,7G 0 disk [SWAP]
zram7 253:7 0 1,7G 0 disk [SWAP]
nvme0n1 259:0 0 476,9G 0 disk
├─nvme0n1p1 259:1 0 260M 0 part /boot/efi
├─nvme0n1p2 259:2 0 461,7G 0 part
│ └─luks-8f3f9d43-b54b-4b61-bf40-fc9d9fb8556d 254:0 0 461,7G 0 crypt /var/tmp
└─nvme0n1p3 259:3 0 15G 0 part
└─luks-599fd87d-20b3-4cbe-9e85-1cb964ee756a 254:1 0 15G 0 crypt [SWAP]

sudo systemd-cryptenroll --tpm2-device=/dev/tpmrm0 /dev/nvme0n1p2
Failed to load LUKS2 superblock: Invalid argument

sudo systemd-cryptenroll --tpm2-device=/dev/tpmrm0 /dev/nvme0n1
Failed to load LUKS2 superblock: Invalid argument

Thanks...

I'm not sure how much assistance you will get with your issue here. I don't believe any of the distro Devs use full disk encryption, so you may not get a lot of well informed advice.

Until someone really familiar with your issue shows up searching your error messages thoroughly may be your best bet:

arch Linux Failed to load LUKS2 superblock: Invalid argument - Google Search..

4 Likes

It was worth the try I guess. In any case, thanks for the reply. :slight_smile:

So... I tried using clevis and dracut. Everything seems successful, but dracut early unlock does not seem to engage during boot. What am I missing? What log can I check during boot to see status of dracut or any error messages?

  • I'v managed to bind a LUKS volume to the TPM:

clevis luks bind -d /dev/nvme0n1p2 tpm2 '{}'

  • confirmed that the TPM is working by encrypting and decrypting a secret with it:

$ echo foo | clevis encrypt tpm2 '{}' > secret.jwe
$ clevis decrypt < secret.jwe
foo

  • Enabled late unlocker using

systemctl enable clevis-luks-askpass.path
systemctl start clevis-luks-askpass.path

  • dracut succeed with:

dracut: *** Including module: clevis ***

Resolved

Guide for setting up FDE+TPM: Garuda-fde_and_tpm-guide/README.md at main · SubXi/Garuda-fde_and_tpm-guide · GitHub

3 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.