TPM support

[uhthomas]

I found https://github.com/archlinux/archinstall/issues/861, but believe the HSM support does not provide adequate TPM support.

For example; only my YubiKey is listed, despite the presence of a TPM.

I have used systemd-cryptenroll for a few machines and have found it to work quite well.

❯ sudo systemd-cryptenroll /dev/nvme0n1p2 --tpm2-device=auto

cryptsetup benchmark may also be helpful.

I believe secure boot is required for a TPM to work - so this may also be helpful too?

❯ sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     a67af038-da8d-4637-a752-7d3e71a9f57e
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    microsoft

I think in addition to systemd-cryptenroll, the kernel configuration options need to be updated.

❯ cat /boot/loader/entries/linux.conf
title Arch Linux (linux)
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options root=/dev/mapper/luksdev zswap.enabled=0 rootflags=subvol=@ rw intel_pstate=no_hwp rootfstype=btrfs rd.luks.name=a661b1ce-26f7-460d-a8fa-1a57f2f6ceff=luksdev rd.luks.options=discard,tpm2-device=auto nvidia_drm.modeset=1

note rd.luks.name=a661b1ce-26f7-460d-a8fa-1a57f2f6ceff=luksdev rd.luks.options=discard,tpm2-device=auto where the UUID is the volume UUID from sudo blkid:

/dev/nvme0n1p2: UUID="a661b1ce-26f7-460d-a8fa-1a57f2f6ceff" TYPE="crypto_LUKS" PARTLABEL="primary" PARTUUID="3f92cbb9-c6ce-4a70-bc9f-4b7ce4cdbe54"

https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll