feat: add LUKS TPM autounlock support

Containerfile

@@ -52,6 +52,7 @@ RUN rpmbuild -ba \
 #This can be cleaner and put together with other RPMs in -config, I cant be bothered right now    
 ADD build /tmp/build
 RUN /tmp/build/ublue-os-just/build.sh
+RUN /tmp/build/ublue-os-luks/build.sh
 
 RUN mkdir /tmp/ublue-os/{files,rpms}
 

build/ublue-os-just/15-luks.just

@@ -0,0 +1,11 @@
+# vim: set ft=make :
+
+# Enable automatic LUKS unlock via TPM
+setup-luks-tpm-unlock:
+    #!/usr/bin/bash
+    sudo /usr/libexec/luks-enable-tpm2-autounlock
+
+# Disable automatic LUKS unlock via TPM
+remove-luks-tpm-unlock:
+    #!/usr/bin/bash
+    sudo /usr/libexec/luks-disable-tpm2-autounlock

build/ublue-os-just/ublue-os-just.spec

@@ -1,14 +1,15 @@
 Name:           ublue-os-just
 Packager:       ublue-os
 Vendor:         ublue-os
-Version:        0.30
+Version:        0.31
 Release:        1%{?dist}
 Summary:        ublue-os just integration
 License:        MIT
 URL:            https://github.com/ublue-os/config
 
 BuildArch:      noarch
 Requires:       just
+Requires:       ublue-os-luks
 
 Source0:        ublue-os-just.sh
 Source1:        00-default.just
@@ -18,6 +19,7 @@ Source4:        30-distrobox.just
 Source5:        40-nvidia.just
 Source6:        50-akmods.just
 Source7:        60-custom.just
+Source8:        15-luks.just
 Source9:        ujust
 Source10:       ugum
 Source11:       header.just
@@ -48,7 +50,7 @@ mkdir -p -m0755  %{buildroot}%{_datadir}/%{VENDOR}/%{sub_name}
 install -Dm755 %{SOURCE0}  %{buildroot}%{_sysconfdir}/profile.d/ublue-os-just.sh
 install -Dm755 %{SOURCE19}  %{buildroot}%{_sysconfdir}/profile.d/user-motd.sh
 install -Dm755 %{SOURCE23}  %{buildroot}%{_sysconfdir}/profile.d/brew.sh
-cp %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE22} %{buildroot}%{_datadir}/%{VENDOR}/%{sub_name}
+cp %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} %{SOURCE22} %{buildroot}%{_datadir}/%{VENDOR}/%{sub_name}
 
 # Create justfile which contains all .just files included in this package
 # Apply header first due to default not working in included justfiles
@@ -100,6 +102,9 @@ just --completions bash | sed -E 's/([\(_" ])just/\1ujust/g' > %{_datadir}/bash-
 chmod 644 %{_datadir}/bash-completion/completions/ujust
 
 %changelog
+* Mon Apr 30 2024 Benjamin Sherman <[email protected]> - 0.31
+- Add LUKS TPM autounlock support
+
 * Sun Mar 24 2024 gerblesh <[email protected]> - 0.30
 - Add brew config to /etc/profile.d
 

build/ublue-os-luks/build.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/bash
+
+set -ouex pipefail
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+mkdir -p /tmp/ublue-os/rpmbuild/SOURCES
+
+cp ${SCRIPT_DIR}/luks* /tmp/ublue-os/rpmbuild/SOURCES
+
+rpmbuild -ba \
+    --define '_topdir /tmp/ublue-os/rpmbuild' \
+    --define '%_tmppath %{_topdir}/tmp' \
+    ${SCRIPT_DIR}/ublue-os-luks.spec

build/ublue-os-luks/luks-disable-tpm2-autounlock

@@ -0,0 +1,45 @@
+#!/bin/bash
+## disable auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
+set -u
+
+[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
+
+read -p "This will modify your system and disable TPM2 auto-unlock of your LUKS partition! Are you sure you've read the script and are good with this? " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+fi
+
+DISK_UUID=$(sudo awk '{ print $2 }' /etc/crypttab | cut -d= -f2)
+CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+
+## Restore the crypttab
+cp -a /etc/crypttab /etc/crypttab.working-before-disable-tpm2
+if [ -f /etc/crypttab.known-good ]; then
+  echo "Restoring /etc/crypttab.known-good to original /etc/crypttab"
+  mv /etc/crypttab.known-good /etc/crypttab
+else
+  echo "No /etc/crypttab.known-good found to restore"
+fi
+
+## Wipe luks slot
+cryptsetup luksDump $CRYPT_DISK | grep systemd-tpm2 > /dev/null
+if [ 0 -eq $? ]; then
+  echo "Wiping systemd-tpm2 from LUKS on $CRYPT_DISK"
+  systemd-cryptenroll --wipe-slot=tpm2 $CRYPT_DISK
+else
+  echo "No systemd-tpm2 found in LUKS to wipe"
+fi
+
+## Disable initramfs
+rpm-ostree initramfs | grep tpm2 > /dev/null
+if [ 0 -eq $? ]; then
+  echo "WARNING: if you configured initramfs for anything other than TPM2, this wipes that too..."
+  echo "here's a printout:"
+  rpm-ostree initramfs
+  echo
+  echo "Disabling rpm-ostree initramfs..."
+  rpm-ostree initramfs --disable
+else
+  echo "TPM2 was not found in 'rpm-ostree initramfs'..."
+fi

build/ublue-os-luks/luks-enable-tpm2-autounlock

@@ -0,0 +1,70 @@
+#!/bin/bash
+## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
+set -u
+
+[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
+
+read -p "This will modify your system and enable TPM2 auto-unlock of your LUKS partition! Are you sure you've read the script and are good with this? " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+fi
+
+## Inspect crypttab to find disk info, should look like this
+#sudo cat /etc/crypttab
+#luks-912462a2-39ce-abcd-1234-89c6c0304cb4 UUID=912462a2-39ce-abcd-1234-89c6c0304cb4 none discard
+DISK_UUID=$(sudo awk '{ print $2 }' /etc/crypttab | cut -d= -f2)
+CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+
+## Backup the crypttab
+if [ -f /etc/crypttab.known-good ]; then
+  echo "Our backup already exists at /etc/crypttab.known-good\nExiting..."
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+fi
+cp -a /etc/crypttab /etc/crypttab.known-good
+
+## modify the crypttab
+grep tpm2-device /etc/crypttab > /dev/null
+if [ 0 -eq $? ]; then
+  echo "TPM2 already present in /etc/crypttab. Exiting..."
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+fi
+sed -i "s/discard/discard,tpm2-device=auto/" /etc/crypttab
+
+cryptsetup luksDump $CRYPT_DISK | grep systemd-tpm2 > /dev/null
+if [ 0 -eq $? ]; then
+  KEYSLOT=$(cryptsetup luksDump $CRYPT_DISK|grep -A23 systemd-tpm2|grep Keyslot|awk '{print $2}')
+  echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $CRYPT_DISK. Exiting..."
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+fi
+
+## Run crypt enroll
+echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
+echo
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 $CRYPT_DISK
+
+
+lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null
+if [ 1 -eq $? ]; then
+  ## add tpm2-tss to initramfs
+  rpm-ostree initramfs | grep tpm2 > /dev/null
+  if [ 0 -eq $? ]; then
+    echo "TPM2 already present in rpm-ostree initramfs config."
+    rpm-ostree initramfs
+    echo
+    echo "Re-running initramfs to pickup changes above."
+  fi
+  rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss
+else
+  ## initramfs already containts tpm2-tss
+  echo "TPM2 already present in initramfs."
+fi
+
+## Now reboot
+echo
+echo "TPM2 LUKS auto-unlock configured. Reboot now."
+
+
+# References:
+#  https://www.reddit.com/r/Fedora/comments/uo4ufq/any_way_to_get_systemdcryptenroll_working_on/
+#  https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

build/ublue-os-luks/ublue-os-luks.spec

@@ -0,0 +1,33 @@
+Name:           ublue-os-luks
+Packager:       ublue-os
+Vendor:         ublue-os
+Version:        0.1
+Release:        1%{?dist}
+Summary:        ublue-os scripts for simplified LUKS usage
+License:        MIT
+URL:            https://github.com/ublue-os/config
+
+BuildArch:      noarch
+
+Source0:        luks-disable-tpm2-autounlock
+Source1:        luks-enable-tpm2-autounlock
+
+%description
+Adds scripts to simplify LUKS autounlock with TPM
+
+%prep
+%setup -q -c -T
+
+%build
+
+install -Dm755 %{SOURCE0}  %{buildroot}%{_libexecdir}/luks-disable-tpm2-autounlock
+install -Dm755 %{SOURCE1}  %{buildroot}%{_libexecdir}/luks-enable-tpm2-autounlock
+
+%files
+%attr(0755,root,root) %{_libexecdir}/luks-disable-tpm2-autounlock
+%attr(0755,root,root) %{_libexecdir}/luks-enable-tpm2-autounlock
+
+%changelog
+* Mon Apr 30 2024 Benjamin Sherman <[email protected]> - 0.1
+- Add tpm2 autounlock enable/disable scripts
+- Original source: https://github.com/bsherman/ublue-custom/