Bazzite + arch distrobux tpm-fido HowTo

bazzite-arch-tpm-fido.md

(this was build with the assistance of google gemini but it is the steps i followed to get everything working)

🚀 TPM Passkeys on Bazzite: The Definitive Guide (Arch Distrobox)

This guide addresses TPM device access, container dependencies, pinentry conflicts, and systemd service environment issues for persistent, hardware-backed passkeys on Bazzite (or any Fedora OSTree/immutable system).

Phase 1: Host System Configuration (TPM Access)

The Bazzite host must grant your user permanent access to the TPM device (/dev/tpmrm0).

1. Persist tss Group Definition: Copy the canonical tss group entry to the /etc/group overlay, ensuring the change survives reboots.

   # Copy the group definition to the /etc overlay
   grep -E '^tss:' /usr/lib/group | sudo tee -a /etc/group

2. Add User and Finalize: Add your user ($USER) to the tss group.

   # Add your current user to the tss group
   sudo usermod -aG tss $USER

3. Reboot: Reboot your system to finalize the persistent group membership change.

Phase 2: Distrobox Setup (Dependencies and Environment)

We use an Arch Linux Distrobox to provide the required tpm-fido package and its Qt dependencies.

1. Create/Enter the Box:

   distrobox enter arch

2. Install Required Packages: Install the FIDO service, KDE/Qt dependencies, and the PIN entry program.

   sudo pacman -S tpm-fido-git pinentry-qt kwindowingsystem kguiaddons

3. Clean Up Pinentry Conflicts (CRITICAL FIX): The tpm-fido source checks for pinentry binaries in a specific order (e.g., gnome3 before qt). Conflicting binaries must be removed to force selection of your working pinentry-qt.

   # Remove conflicting packages (e.g., GNOME or Qt5 versions)
   sudo pacman -R pinentry-gnome3 pinentry-qt5 # Use -R to remove

4. Configure GnuPG Agent: Tell the GnuPG environment inside the container to prioritize your working Qt binary.

   mkdir -p ~/.gnupg
   echo "pinentry-program /usr/bin/pinentry-qt" > ~/.gnupg/gpg-agent.conf

5. Export the Binary: This creates the host-side wrapper (~/.local/bin/tpm-fido).

   distrobox-export --bin /usr/bin/tpm-fido

6. Exit the Box:

   exit

Phase 3: Service Persistence (Systemd User Unit)

This service unit must run after your KDE session starts and inherit the correct environment variables for graphical and GPG communication.

1. Create the Service File:

   mkdir -p ~/.config/systemd/user/
   nano ~/.config/systemd/user/tpm-fido.service

2. Paste the Final Configuration:

   [Unit]
   Description=TPM FIDO implementation (via Distrobox)
   Wants=plasma-workspace.target
   After=plasma-workspace.target
   
   [Service]
   # CRITICAL: Pulls ALL dynamic variables (DISPLAY, GPG_AGENT_INFO, etc.) from the active session.
   ExecStartPre=/usr/bin/dbus-update-activation-environment --systemd DISPLAY XDG_RUNTIME_DIR GPG_AGENT_INFO
   
   # Executes a shell that explicitly sets the PINENTRY_PROGRAM path for the container 
   # and runs the exported binary.
   ExecStart=/usr/bin/sh -c "export PINENTRY_PROGRAM=/usr/bin/pinentry-qt; exec %h/.local/bin/tpm-fido"
   
   Type=simple
   Restart=on-failure
   RestartSec=5s
   
   [Install]
   WantedBy=plasma-workspace.target

3. Enable and Start the Service:

   systemctl --user daemon-reload
   systemctl --user enable --now tpm-fido

Phase 4: Verification

1. Check Service Status:

   systemctl --user status tpm-fido

   (Status should be active (running)).

2. Test Passkey Registration:

   • Open your web browser on the host.
   • Navigate to https://webauthn.io/
   • Click Register.
   • A native KDE/Qt PIN entry dialog should appear on your desktop.