TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.
For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.
So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.
Still so far the most informative overview for the shenanigans is microos.opensuse.org/blog/2023… but I'd also look for more recent references.
Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.
So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷
#tpm #linux #archlinux #opensuse #secureboot #security
Systemd-boot and Full Disk Encryption with TPM and FIDO2
Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOSopenSUSE MicroOS
Štěpán Škorpil
in reply to Jarkko Sakkinen • • •I have set it up in a way that does not need to reseal the key on every kernel update. I use a combination of secure boot with kernel signed with my custom keys and tpm revealing luks secret only if bios or bios options haven't been tampered with. With this setup I only need to reseal the key on bios upgrades and on changed bios options.
skorpil.cz/en/project/42/mkini…
Mkinitcpio tpm2 encrypt
Štěpán ŠkorpilMorten Linderud
in reply to Štěpán Škorpil • • •This entire post is deprecated because of `cryptenroll`. You can drop the mkinitcpio hook completely and just use `sd-encrypt`.
Štěpán Škorpil
in reply to Morten Linderud • • •