This is a trade-off between security and convenience and makes the machine more vulnerable to cold boot attacks. When using a TPM, unlocking of the root partition is bound to the state of the TPM’s PCR registers. After this stage there will be no password prompt when booting. For this the luks1 encrypted root partition needs to be converted to luks2. In stage 3 TPM is configured using sytemd-cryptenroll. Sbctl comes with a pacman hook that automatically signes the image when the kernel gets updated. New keys are generated and enrolled, microsoft keys are excluded if the hardware allows it, the unified kernel image is signed and secureboot enabled in the uefi setup utility. In stage 2 secureboot is configured using sbctl. As a bonus the boot process should now be significantly faster. Efibootmgr is used to add the boot entry to the motherboard’s uefi firmware. Mkinitcpio is used to generate the unified kernel image. The reason is that a unified kernel image can be easily signed for secureboot and that luks2 support is needed for TPM. In stage 1 a unified kernel image replaces the grub boot loader. Stopping before completing a stage may result in an unbootable machine. One can stop following this guide after each stage. It is possible, but outside the scope of this guide.
0 Comments
Leave a Reply. |