archinstall
archinstall copied to clipboard
TPM support
I found https://github.com/archlinux/archinstall/issues/861, but believe the HSM support does not provide adequate TPM support.
For example; only my YubiKey is listed, despite the presence of a TPM.
I have used systemd-cryptenroll for a few machines and have found it to work quite well.
❯ sudo systemd-cryptenroll /dev/nvme0n1p2 --tpm2-device=auto
cryptsetup benchmark may also be helpful.
I believe secure boot is required for a TPM to work - so this may also be helpful too?
❯ sbctl status
Installed: ✓ sbctl is installed
Owner GUID: a67af038-da8d-4637-a752-7d3e71a9f57e
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
I think in addition to systemd-cryptenroll
, the kernel configuration options need to be updated.
❯ cat /boot/loader/entries/linux.conf
title Arch Linux (linux)
linux /vmlinuz-linux
initrd /amd-ucode.img
initrd /initramfs-linux.img
options root=/dev/mapper/luksdev zswap.enabled=0 rootflags=subvol=@ rw intel_pstate=no_hwp rootfstype=btrfs rd.luks.name=a661b1ce-26f7-460d-a8fa-1a57f2f6ceff=luksdev rd.luks.options=discard,tpm2-device=auto nvidia_drm.modeset=1
note rd.luks.name=a661b1ce-26f7-460d-a8fa-1a57f2f6ceff=luksdev rd.luks.options=discard,tpm2-device=auto
where the UUID is the volume UUID from sudo blkid
:
/dev/nvme0n1p2: UUID="a661b1ce-26f7-460d-a8fa-1a57f2f6ceff" TYPE="crypto_LUKS" PARTLABEL="primary" PARTUUID="3f92cbb9-c6ce-4a70-bc9f-4b7ce4cdbe54"
https://wiki.archlinux.org/title/Trusted_Platform_Module#systemd-cryptenroll