From Fedora Project Wiki

Revision as of 16:47, 22 May 2020 by Pwhalen (talk | contribs) (Created page with " = Description = A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines wit...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).

Setup

Install a system with an encrypted root filesystem. See this testcase for further details.

If using a virtual machine you will need to install swtpm and swtpm-tools on the host.

sudo dnf install swtpm swtpm-tools 

Using virt-manager add the TPM to the the virtual machine, selecting the default TPMv2. If the host system offers a hardware TPM you can also use that but it is not required for this test case.

How to test

Verify decryption is working via TPM2

echo foo | clevis encrypt tpm2 '{}' | clevis decrypt

Get the UUID of the encrypted device

UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1)
DEV=$(blkid --uuid $UUID)

Check encryption details of the device

cryptsetup luksDump $DEV

Verify the passphrase before setting

cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct

Setup Clevis to decrypt via TPM2 on boot

clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE

Reboot the system and see if it is booted without user intervention.

Results

  1. The installed system should boot to log in without needing the passphrase for the encrypted filesystem.