TPM 1.2 LUKS DISK UNLOCKING
===========================

TPM 2.0 has been... popular(?) recently in the Linux world the past couple of
years. It's been used for disk unlocking with LUKS encrypted disks.

Too bad if you have an older laptop that uses TPM 1.2... until recently.


Someone recently forked clevis and opened a pull request to merge TPM 1.2
support. It's not merged yet, as there needs to be more testing with dracut, but
it works great with Debian's update-initramfs.
https://github.com/latchset/clevis/pull/462

Below are some instructions on how to set up automatic disk unlocking on Debian
12.

To begin, install the following packages (this list may be incomplete):

sudo apt install libjose-dev libcryptsetup-dev ninja-build meson tpm-tools clevis clevis-initramfs git

Next, we'll want to take ownership of the TPM. I can only verify that it works
with the default (well-known) SRK and owner secrets.
sudo tpm_takeownership -yz

Since upstream hasn't had the TPM 1.2 support merged yet, we will have to
checkout from git.

[AUG 14, 2024] EDIT: There is a releases page on GitHub with proper debian packages, but they might need to be modified as I did so that the TrouSerS tools are able to be detected in the initramfs hook.

git clone https://github.com/oldium/clevis.git
cd clevis
git checkout feature/tpm1

For meson to detect some of the system binaries, we must configure as root:

sudo meson setup --prefix=/usr build

Note that the prefix has to align with the system package manager's prefix, as
we currently have to overwrite the system binries for now. :(

Next, we build the binaries and install:

sudo ninja && sudo ninja install

Next, Update the initramfs and reboot:

sudo update-initramfs -u && sudo reboot

Next, choose your PCRs for clevis to check on boot:
https://www.thinkwiki.org/wiki/Embedded_Security_Subsystem#PCR_registers_extended_by_the_BIOS
Note that this link is for 1.1b but its relatively the same for 1.2.
I use PCRs 0, 1, 2, 4, and 7.

Since my disk holding the LUKS partitions is /dev/sda5 (yours will likely
differ), this is the command I will run:

sudo clevis luks bind -d /dev/sda5 tpm1 '{"pcr_ids":"0,1,2,4,7"}'

If you type in your LUKS password and get no errors, reboot and see if it works!

-- mam@sdf.org