I want to configure a CentOS 7 system to automatically decrypt a LUKS encrypted
root partition at boot, without prompting for a passphrase. This server is equipped with a TPM 1.2 chip, which I can store my key in.
The partition that contains my
root logical volume is encrypted with LUKS:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 278.5G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 277.5G 0 part
└─luks-efd72338-f1b6-4a50-b826-d704642c293f 253:0 0 277.5G 0 crypt
├─vg_sda-lv_root 253:1 0 273.5G 0 lvm /
└─vg_sda-lv_swap 253:2 0 4G 0 lvm (SWAP)
sr0 11:0 1 1024M 0 rom
The TPM chip is enabled and activated. The following packages are installed:
tcsd service is running and enabled:
# systemctl status tcsd
● tcsd.service - TCG Core Services Daemon
Loaded: loaded (/usr/lib/systemd/system/tcsd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-03-17 16:42:35 UTC; 11min ago
Main PID: 895 (tcsd)
tpm_tis kernel driver was loaded:
# dmesg | grep tpm
( 0.430468) tpm_tis 00:05: 1.2 TPM (device-id 0xFE, rev-id 71)
tpm_version command outputs the details of my module:
TPM 1.2 Version Info:
Chip Version: 184.108.40.206
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: WEC
TPM Version: 01010000
Manufacturer Info: 57454300
OK, so next step is figuring out how to store my key into the TPM 1.2 NVRAM and have logic added to my
initramfs to can extract the key and decrypt the
root partition. This is where I’m totally lost.
I found a project titled tpm-luks that sounded fairly promising, but not having much luck thus far. After compiling and installing, I ran through the directions to “add a new LUKS key to a key slot and the TPM”:
# tpm-luks -c -d /dev/sda2 -y
Enter a new TPM NV area password:
Re-enter the new TPM NV area password:
Successfully wrote 32 bytes at offset 0 to NVRAM index 0x4 (4).
You will now be prompted to enter any valid LUKS passphrase in order to store
the new TPM NVRAM secret in LUKS key slot 2:
Enter any existing passphrase:
Using NV index 4 for device /dev/sda2
The next step is using
dracut to updated the initramfs, which doesn’t finish without some warning messages. I am honestly not sure how troublesome these warnings are.
# dracut /boot/initramfs-$(uname -r)-tpm-luks.img
/usr/lib/dracut/modules.d/90crypt-tpm/module-setup.sh: line 24: /var/tmp/dracut.nPJ0Jv/initramfs/etc/cmdline.d/90crypt.conf: No such file or directory
Failed to install module tpm_bios
Broadcast message from systemd-journald@mysystem (Wed 2021-03-17 18:05:06 UTC):
dracut(28567): Failed to install module tpm_bios
Message from syslogd@mysystem at Mar 17 18:05:06 ...
dracut:Failed to install module tpm_bios
The next step is installing TrustedGRUB in order to seal the NVRAM to a PCR. I’m not sure if this is optional or not? I would like to use GRUB2 if possible. Either way, if it is not required, I’d like to see if this process works before worrying about sealing.
I then update the GRUB2 menu to boot the new initramfs.
If I reboot my system at this point, it now prompts for a “TPM NVRAM Password (/dev/sda2)” early on in boot. After entering It then continues to load CentOS without prompting for a LUKS passphrase. I think this is one step closer in the right direction, I just don’t know how to have it not prompt for the NVRAM password.
I’m wondering if anyone has any experience with this who can assist me with figuring this out. If there is an alternative way to do this (without
tpm-luks) I would be willing to try that out as well.