Revisión de Safe Linux

anduin revisó este gist 1742310728. Ir a la revisión

1 file changed, 2 insertions, 3 deletions

gistfile1.md

			@@ -4,10 +4,9 @@
4	4		* Prepare mok-util to ensure MOK trust your own keys. Reboot.
5	5		* Prepare all drivers, modules. Build and sign the kernel and modules. Reboot.
6	6		* Prepare necessary tpm tools. Use dracut to replace initramfs-tools. Reboot.
7		-	* Use systemd-cryptenroll to change to a stronger password. Reboot. Ensure auto unlock.
	7	+	* Use systemd-cryptenroll to change to a stronger password. Reboot.
8	8		* Enable Secure Boot
9		-	* Use dracut to generate a initrd.
10		-	* Use TPM to auto unlock root partition.
	9	+	* Use systemd-cryptenroll to use TPM to auto unlock root partition. Reboot. Ensure auto unlock.
11	10
12	11		## Install dependencies
13	12

anduin revisó este gist 1742310687. Ir a la revisión

1 file changed, 1 insertion, 1 deletion

gistfile1.md

			@@ -4,7 +4,7 @@
4	4		* Prepare mok-util to ensure MOK trust your own keys. Reboot.
5	5		* Prepare all drivers, modules. Build and sign the kernel and modules. Reboot.
6	6		* Prepare necessary tpm tools. Use dracut to replace initramfs-tools. Reboot.
7		-	* Use systemd-cryptenroll to change to a stronger password.
	7	+	* Use systemd-cryptenroll to change to a stronger password. Reboot. Ensure auto unlock.
8	8		* Enable Secure Boot
9	9		* Use dracut to generate a initrd.
10	10		* Use TPM to auto unlock root partition.

anduin revisó este gist 1742310664. Ir a la revisión

1 file changed, 1 insertion, 1 deletion

gistfile1.md

			@@ -3,7 +3,7 @@
3	3		* Make sure system installed with simple password and LUKS.
4	4		* Prepare mok-util to ensure MOK trust your own keys. Reboot.
5	5		* Prepare all drivers, modules. Build and sign the kernel and modules. Reboot.
6		-	* Prepare necessary tpm tools. Use dracut to replace initramfs-tools.
	6	+	* Prepare necessary tpm tools. Use dracut to replace initramfs-tools. Reboot.
7	7		* Use systemd-cryptenroll to change to a stronger password.
8	8		* Enable Secure Boot
9	9		* Use dracut to generate a initrd.

anduin revisó este gist 1742310637. Ir a la revisión

1 file changed, 4 insertions, 4 deletions

gistfile1.md

			@@ -15,10 +15,10 @@
15	15		sudo apt install dracut libtss2-dev tpm2-tss-engine-tools tpm2-tools
16	16		```
17	17
18		-	# dracut: initrd manager.
19		-	# libtss -> TSS 2 user state tools and library
20		-	# tpm-tools
21		-	# engine-tools might not be needed.
	18	+	* dracut: initrd manager.
	19	+	* libtss -> TSS 2 user state tools and library
	20	+	* tpm-tools
	21	+	* engine-tools might not be needed.
22	22
23	23		```bash
24	24		anduin@anduin-lunar:~$ sudo cat /etc/crypttab

anduin revisó este gist 1742310566. Ir a la revisión

1 file changed, 0 insertions, 0 deletions

gistfile1.txt renombrado a gistfile1.md

Archivo renombrado sin cambios

anduin revisó este gist 1742310557. Ir a la revisión

1 file changed, 90 insertions

gistfile1.txt(archivo creado)

		@@ -0,0 +1,90 @@
1	+	## Install steps
2	+
3	+	* Make sure system installed with simple password and LUKS.
4	+	* Prepare mok-util to ensure MOK trust your own keys. Reboot.
5	+	* Prepare all drivers, modules. Build and sign the kernel and modules. Reboot.
6	+	* Prepare necessary tpm tools. Use dracut to replace initramfs-tools.
7	+	* Use systemd-cryptenroll to change to a stronger password.
8	+	* Enable Secure Boot
9	+	* Use dracut to generate a initrd.
10	+	* Use TPM to auto unlock root partition.
11	+
12	+	## Install dependencies
13	+
14	+	```bash
15	+	sudo apt install dracut libtss2-dev tpm2-tss-engine-tools tpm2-tools
16	+	```
17	+
18	+	# dracut: initrd manager.
19	+	# libtss -> TSS 2 user state tools and library
20	+	# tpm-tools
21	+	# engine-tools might not be needed.
22	+
23	+	```bash
24	+	anduin@anduin-lunar:~$ sudo cat /etc/crypttab
25	+	nvme0n1p3_crypt UUID=9aacd8c2-e5f9-42bd-b345-f8617d0a668d none luks,discard,tpm2-device=auto
26	+	```
27	+
28	+	```bash
29	+	anduin@anduin-lunar:~$ cat /etc/dracut.conf.d/tpm2.conf
30	+	add_dracutmodules+=" tpm2-tss "
31	+	```
32	+
33	+	```bash
34	+	sudo dracut -f --hostonly
35	+	```
36	+
37	+	(Reboot. mandatory)
38	+
39	+	## Ensure TPM device exists
40	+
41	+	```bash
42	+	sudo systemd-cryptenroll --tpm2-device=list
43	+	```
44	+
45	+	## Enlist all encryption methods
46	+
47	+	```bash
48	+	sudo systemd-cryptenroll /dev/nvme0n1p3
49	+	```
50	+
51	+	## Make sure the PCR to bind.
52	+
53	+	https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
54	+
55	+	* 0 BIOS itself
56	+	* 1 BIOS settings (optional)
57	+	* 2 PCIE Firmware option ROM (Suggested for desktop PC, optional for laptop)
58	+	* 7 Secure Boot
59	+	* 9 initrd
60	+	* 14 SHIM Mok
61	+
62	+	2,7,9,14
63	+
64	+	```bash
65	+	sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="0+2+7+9+14" /dev/aaaaa
66	+	```
67	+
68	+	Enter existing LUKS pass.
69	+
70	+	## Update
71	+
72	+	Every time install kernel update:
73	+
74	+	```bash
75	+	sudo dracut -f --hostonly
76	+	```
77	+
78	+	Then reboot.
79	+
80	+	Then:
81	+
82	+	```bash
83	+	sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="0+2+7+9+14" /dev/aaaaa
84	+	```
85	+
86	+	Optional to wipe:
87	+
88	+	```bash
89	+	sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=1
90	+	```

Siguiente Anterior