Skip to content

Instantly share code, notes, and snippets.

@k3karthic

k3karthic/notes.md

Last active October 15, 2025 13:34
Show Gist options
  • Save k3karthic/833d5cc5cd8354e4d3f6de4087e05284 to your computer and use it in GitHub Desktop.
Save k3karthic/833d5cc5cd8354e4d3f6de4087e05284 to your computer and use it in GitHub Desktop.
Download ZIP
Fedora Silverblue - LUKS with TPM + SSD Trim
Raw
notes.md

SSD Trim

References:

Check if the following command runs,

sudo /usr/bin/fstrim --listed-in /etc/fstab:/proc/self/mountinfo --verbose

If it returns an error that "discard operation is not supported", run the following command to allow LUKS volumes to pass the TRIM command to the underlying SSD.

sudo rpm-ostree kargs --append rd.luks.options=discard

TPM Enrollment

References:

Verification

Check if the tpm2-tss dracut module is being loaded using the lsinitrd command. If it's not present, run the following command and reboot. This requires that tpm2-tools is installed in the base image.

sudo rpm-ostree initramfs --enable --arg=-force-add --arg=tpm2-tss

This command modifies the initial RAM disk (initramfs), which is a temporary filesystem loaded into memory during the boot process. The initramfs contains the necessary tools and drivers to mount the root filesystem.

  • sudo rpm-ostree initramfs --enable: This part enables the initramfs override on your system, which allows you to modify its contents.
  • --arg=-force-add --arg=tpm2-tss: These arguments force the addition of the tpm2-tss (Trusted Software Stack) module into the initramfs. The tpm2-tss module provides the libraries and tools needed to communicate with the TPM chip.

Essentially, this command modifies the boot process to ensure the system has the necessary tools to interact with the TPM and unlock the encrypted volume as it's booting up.

Enrollment

sudo systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "7+11+14" /dev/nvme0n1p3

This command is used to enroll a LUKS key slot with a specific mechanism, in this case, the TPM.

  • sudo systemd-cryptenroll --wipe-slot tpm2: This command enrolls the TPM2 device to a LUKS key slot and wipes any pre-existing key in that slot. This action is crucial because it ensures that only the TPM can unlock that specific key slot.
  • --tpm2-device auto: This option tells the system to automatically detect and use the available TPM2 device.
  • --tpm2-pcrs "7+11+14": This is a critical part of the command. It specifies the Platform Configuration Registers (PCRs) that the TPM should "seal" the decryption key to. PCRs are memory locations within the TPM that store hashes of system state measurements (e.g., firmware, boot loader, kernel, and system configuration). By sealing the key to a specific combination of PCRs (in this case, PCRs 7, 11, and 14), the TPM will only release the key if the system's boot state is identical to when the key was sealed.
    • PCR 7: Measures the Secure Boot state, verifying whether Secure Boot is enabled.
    • PCR 11: Measures the firmware configuration and early boot-related variables.
    • PCR 14: Measures the LUKS key slot configuration itself, ensuring that the /etc/crypttab or /etc/fstab entries are unchanged.
  • /dev/nvme0n1p3: This is the path to the encrypted LUKS partition on which the TPM key slot is being configured.

In short, this command creates a link between your encrypted partition and the TPM, locking the decryption key to a specific, trusted boot state. If any of the measured components (like the Secure Boot state or the kernel) change, the TPM will refuse to release the key, effectively preventing an unauthorized boot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment