Can I automatically run systemd-cryptenroll after bootloader is updated?

[vroad]

I want to auto-unlock LUKS encrypted system drive only when the computer boots NixOS installed to an SSD. For that I need to run systemd-cryptenroll /dev/nvme0n1p1 --tpm2-device=auto --tpm2-pcrs=0+2+4+7 There appears to be no way to run custom commands when lanzaboote bootloader is installed:

lanzaboote/nix/modules/lanzaboote.nix

Lines 54 to 67 in 367d367

	installHook = pkgs.writeShellScript "bootinstall" ''
	${optionalString cfg.enrollKeys ''
	mkdir -p /tmp/pki
	cp -r ${cfg.pkiBundle}/* /tmp/pki
	${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
	''}
	${cfg.package}/bin/lanzatool install \
	--public-key ${cfg.publicKeyFile} \
	--private-key ${cfg.privateKeyFile} \
	--configuration-limit ${toString configurationLimit} \
	${config.boot.loader.efi.efiSysMountPoint} \
	/nix/var/nix/profiles/system-*-link
	'';

Can we add custom command option to the module that runs only when bootloader is updated?

[RaitoBezarius]

Interesting, quick question:

• what is the effect to run this every time you run nixos-rebuild switch ?

[vroad]

Interesting, quick question:

• what is the effect to run this every time you run nixos-rebuild switch ?

systemd-cryptenroll takes some time to enroll keys , I don't want to run it when there is no update to the bootloader.

My goal is preventing other OSes on USB sticks from accessing LUKS encryption keys stored in the TPM, while still allowing them to boot. I can still manually unlock my volume with a password when I want.

[vroad]

I'm not sure exactly when I need to re-run this command. Upgrading the kernel doesn't seem to cause boot failure, which might mean that bootloader configuration doesn't affect calculation of PCR 4 value.

[RaitoBezarius]

So basically, some sort of --post-bootloader-update, --post-kernel-update, --post-initrd-update would constitute adequate hooks to enable these usecases, right?

[vroad]

So basically, some sort of --post-bootloader-update, --post-kernel-update, --post-initrd-update would constitute adequate hooks to enable these usecases, right?

What I planned was running a single script with environment variables indicating what are updated, rather than having multiple hooks.
Having one fook for each type of update may not work well for some use cases, such as "run a script if any of bootloader, kernel, initrd has changed".

[vroad]

I was misunderstanding how PCR value calculation works.
Values in PCRs won't update until next reboot.
Running systemd-cryptenroll automatically after each bootloader update will not enroll new keys. As a result you will be asked LUKS encryption password everytime you update the bootloader (if PCR 4 is used).

tpm_futurepcr would allow pre-calculating the value for PCR4, but no longer maintained.

I try enabling early SSH instead to type password from main machine. Hooks won't be useful for my use case without a tool like tpm_futurepcr.

[js6pak]

Should this be closed? Is there any way to have working tpm unlocking after a kernel/bootloader/initrd update? Could lzbt possibly have the same feature as mentioned tpm_futurepcr?

[blitz]

I'm not sure why this was closed. Looks like a pretty useful feature.

[nikstur]

To me this sounds like you want to use something like systemd-measure to pre-calculate the PCR values.

[colemickens]

If someone uses systemd-measure with lanzaboote, maybe perhaps with systemd-cryptenroll for automatic TPM-based LUKS unlocking, I'd love to hear a few hints/details. Unless someone else wants to just do it, I could add it to the README once I get it figured out.