From 080563c4b6aca3f56b040d6c606dca2f1826f90d Mon Sep 17 00:00:00 2001 From: Jorge Ramirez-Ortiz Date: Fri, 6 Sep 2024 11:18:08 +0200 Subject: [PATCH] rm: security: reference UEFI provisioning from LUKS TPM2 test Signed-off-by: Jorge Ramirez-Ortiz --- .../reference-manual/linux/linux-disk-encryption.rst | 11 ++++++----- source/reference-manual/security/secure-boot-uefi.rst | 1 + 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/source/reference-manual/linux/linux-disk-encryption.rst b/source/reference-manual/linux/linux-disk-encryption.rst index e24d2756..2fddaba2 100644 --- a/source/reference-manual/linux/linux-disk-encryption.rst +++ b/source/reference-manual/linux/linux-disk-encryption.rst @@ -140,10 +140,6 @@ Make sure LUKS support is enabled for your x86 target: $ cat meta-subscriber-overrides/conf/machine/include/lmp-factory-custom.inc DISTRO_FEATURES:append:intel-corei7-64 = " luks" -Then make sure to enroll the :ref:`UEFI Secure Boot Certificates ` -to enable secure boot support. This is required as the LUKS2 TPM 2.0 token -leverages **PCR 7**, which tracks the secure boot state. - Now install ``swtpm`` on the host machine, and start the ``swtpm`` daemon. This will be consumed by QEMU and act as the hardware TPM. @@ -166,7 +162,12 @@ Run QEMU with the required extra TPM 2.0 related commands: -chardev socket,id=chrtpm,path=/tmp/mytpm/swtpm-sock \ -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -You should see the following during the first boot: + +On the first boot, enroll the :ref:`UEFI Secure Boot Certificates ` to enable secure boot support. This is required as the LUKS2 TPM 2.0 token leverages **PCR 7**, which tracks the secure boot state. + +To do this, simply select the UEFI Secure Boot systemd-boot menu as described in :ref:`UEFI Secure Boot Provisioning `: the system will reset and you will have to run **the same command** again. + +You should see the following during this second boot: .. code-block:: none diff --git a/source/reference-manual/security/secure-boot-uefi.rst b/source/reference-manual/security/secure-boot-uefi.rst index 3bd8591d..d344bd80 100644 --- a/source/reference-manual/security/secure-boot-uefi.rst +++ b/source/reference-manual/security/secure-boot-uefi.rst @@ -132,6 +132,7 @@ The signing process in LmP is controlled by the following Yocto Project variable * ``UEFI_SIGN_ENABLE`` * If set to ``1`` the systemd-boot bootloader and Linux kernel binaries will be signed by with the DB key (``DB.key`` at ``UEFI_SIGN_KEYDIR``) +.. _ref-secure-boot-uefi-provisioning: UEFI Secure Boot Provisioning -----------------------------