Changing initramfs to include tpm2-tss TPM module

Hi everyone,

I’m new to Bluefin and Universal Blue. So far quite happy with my setup and the little amount of effort needed to setup everything to my liking.

I’m using my Mainboards TPM to unlock the disk encryption of the root fs on boot. I’ve had to:

Enroll the device TPM to the disk:

sudo systemd-cryptenroll --tpm2-device=1+7 /dev/<mydisk>

Create a config file for dracut /etc/dracut.conf.d/tpm2-tss.conf containing:

add_dracutmodules+="tpm2-tss"

Enable initramfs generation:

sudo rpm-ostree initramfs --enable

And modify the /etc/crypttab to include tpm2-device=auto:

luks-XXXXXX UUID=XXXXXX none tpm2-device=auto

I’ve not seen any changes made to the Silverblue upstream images initramfs on the Github repos. Is this out of scope for Universal Blue or might the tpm2-tss module be something that could be added to the default initramfs?

Thanks for the great OS!
Regards,
Clemens

Good news! It’s simpler than editing dracut configs. You can add tpm2-tss just by running this command:

rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss

I actually have scripts in my personal custom image to make it a bit easier to enable/disable luks unlock via TPM since it does have to be redone sometimes after a UEFI firmware update, etc.

See:

• ublue-custom/usr/bin/luks-enable-tpm2-autounlock at aa7aaecf09dbbfa5948e57d0e8b8eccc170e41b3 · bsherman/ublue-custom · GitHub
• ublue-custom/usr/bin/luks-disable-tpm2-autounlock at aa7aaecf09dbbfa5948e57d0e8b8eccc170e41b3 · bsherman/ublue-custom · GitHub

Regarding the question about adding tpm2-tss to Universal Blue’s default initramfs… I don’t think that will be happening, at least not for our “base” images:

• ublue-os/*-main
• ublue-os/*-asus
• ublue-os/*-surface
• ublue-os/*-*-nvidia

None of the additions we add to those “base” images require going so far as to customize the initramfs. Our “downstream”, more end-user facing, images, Bazzite and Bluefin are both more open to changes like that, though. I know Bazzite has initramfs customizations already.

Personally, I’d really like to see tpm2-tss added to the upstream Fedora initramfs by default, so we could benefit, but I haven’t looked into that yet.

Hey Benjamin,

thanks for your reply. I like the idea of configuring the initramfs the way you did. Maybe your existing script could be elevated to become a standard for bluefins ujust commands?

If there are no changes to the upstream initramfs it might not be the feature to introduce it for, but maybe wait for Fedora to include it. I don’t know how many people use such a setup…

My main concern is that rebuilding the initramfs takes a few extra second during the system update, but it’s really not a big deal.

I’ve looked into the fedora silverblue issues and found this comment, that rebuilding the initramfs is necessary anyway to include the UUID from the crypttab into the initramfs, which makes sense and would make your script even more useful!

Best regards,
Clemens

It’s taken a month… but good suggestion.

This is happening: feat: add LUKS TPM autounlock support by bsherman · Pull Request #265 · ublue-os/config · GitHub

Yeah! I saw that on the change log the other day.
Congratulations on your PR.
I’ve already been using your script on my SteamDeck OLED!

Works like a charm!