Extends Ubuntu's zfs-initramfs package with a boot script that can unlock native ZFS encryption with help from TPM 1.2.
Accomplished by overriding the decrypt_fs() function in the upstream zfs
script. Adds a section to unlock via TPM prior to the interactive unlock.
This version uses TPM 1.2 as that's the hardware I have, but extending to 2.0 may be simple.
Needs trousers and tpm-tools installed.
I prefer to seal to PCRs 0-3, 5-9, 11-12
umask 077; tpm_sealdata -p0 -p1 -p2 -p3 -p5 -p6 -p7 -p8 -p9 -p11 -p12 -z -o /.private/$POOL.tpm
| PCR | Use | Notes |
|---|---|---|
| PCR0 | Core System Firmware executable code (aka Firmware) | May change if you upgrade your UEFI |
| PCR1 | Core System Firmware data (aka UEFI settings) | |
| PCR2 | Extended or pluggable executable code | |
| PCR3 | Extended or pluggable firmware data | Set during Boot Device Select UEFI boot phase |
| PCR4 | Boot Manager Code and Boot Attempts | Measures the boot manager and the devices that the firmware tried to boot from |
| PCR5 | Boot Manager Configuration and Data | Can measure configuration of boot loaders; includes the GPT Partition Table |
| PCR6 | Resume from S4 and S5 Power State Events | |
| PCR7 | Secure Boot State | Contains the full contents of PK/KEK/db, as well as the specific certificates used to validate each boot application[4] |
| PCR8 | Hash of the kernel command line | Supported by grub and systemd-boot |
| PCR9 | Hash of the initrd | Kernel 6.1 might measure the kernel cmdline |
| PCR10 | Reserved for Future Use | |
| PCR11 | Hash of the Unified kernel image | see systemd-stub |
| PCR12 | Overridden kernel command line, Credentials | see systemd-stub |
| PCR13 | System Extensions | see systemd-stub |
| PCR14 | Unused | |
| PCR15 | Unused | |
| PCR16 | Debug | May be used and reset at any time. May be absent from an official firmware release. |
| PCR23 | Application Support | The OS can set and reset this PCR. |