How secure is TPM unlocking?

Fred_Kite · November 18, 2025, 9:01am

Hi everyone!

How secure is TPM unlocking in aurora/bluefin? I’ve recently rebased from Kinoite and TPM unlocking is not secure yet: a simple edit in grub command at boot can open a root console. See this conversation in discussion.fedoraproject.org.

Thank you for your help!

inffy · November 18, 2025, 12:17pm

Here is the script we use

github.com/ublue-os/packages

packages/ublue-os-luks/src/luks-enable-tpm2-autounlock

b9810df15

#!/bin/bash
## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
set -eou pipefail

[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}

echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!"
echo "All AMD Zen2 and Zen3 Processors are known to be affected!"
echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!"
echo "If you have an AMD CPU, you likely shouldn't use this!"
echo "----------------------------------------------------------------------------"
echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
echo "You can review systemd-cryptenroll's manpage for more information."
echo "This script will modify your system."
echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
  [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell

This file has been truncated. show original

Haven’t personally used and don’t really know how secure or not it is.

nvonwolff · November 20, 2025, 1:36am

Unless you’re self signing your grub files for secure boot, it’s not secure at all. As someone can pull your drive, modify your grub files to bypass user passwords, then reinsert and boot. There are tools out there to do this self-signing but I haven’t seen a way to automate it to happen in ublue on updates as you would need to resign everytime rpm-ostree/bootc does an update.

Your better option is to decrypt with a password and setup your user account in Gnome to auto login. As Long as your luks password is the same as your user password your Gnome keyring will also auto-unlock.

system · November 23, 2025, 1:36am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with `ujust setup-luks-tpm-unlock` Bluefin	4	692	November 13, 2024
Ujust setup- luks-tpm-unlock' not working Bluefin	2	219	April 4, 2025
TPM LUKS unlock with fingerprint according to docs Framework Laptops	0	251	July 27, 2025
Changing initramfs to include tpm2-tss TPM module General	4	1558	April 29, 2024
Crypttab devices with "ujust setup-luks-tpm-unlock" fail to unlock with keyfile Bazzite	0	414	January 21, 2025

How secure is TPM unlocking?

Related topics