-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add 2024-09-26 快速入门:使用 TPM 和 YaST2 进行全盘加密 (#255)
- Loading branch information
1 parent
a69f244
commit 19432c6
Showing
2 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
--- | ||
author: Poplar at twilight | ||
date: 2024-09-26 07:00:00 +0800 | ||
layout: post | ||
license: CC-BY-SA-4.0 | ||
title: 快速入门:使用 TPM 和 YaST2 进行全盘加密 | ||
image: /assets/posts/2024-09/sdboot.png | ||
categories: | ||
- 更新通告 | ||
tags: | ||
- Tumbleweed | ||
- 翻译作品 | ||
- 官方新闻 | ||
--- | ||
|
||
这是一份在 openSUSE MicroOS 上使用 [TPM](或 [FIDO2])和 YaST2 进行全磁盘加密(Full Disk Encryption, FDE)的快速入门指南。本文主要介绍使用YaST2 安装 [openSUSE MicroOS],以及使用 TPM2 芯片和测量启动([measured boot])或 FIDO2 密钥保护的全盘加密的几个步骤。 | ||
|
||
[fido2]: https://fidoalliance.org/fido2/ | ||
[TPM]: https://en.wikipedia.org/wiki/Trusted_Platform_Module | ||
[openSUSE MicroOS]: https://microos.opensuse.org/ | ||
[measured boot]: https://en.opensuse.org/Portal:MicroOS/RemoteAttestation#Measured_boot | ||
|
||
## 硬件要求 | ||
|
||
- 具有 UEFI 固件 | ||
- 支持 `hmac-secret` 扩展的 TPM2 芯片或 FIDO2 密钥 | ||
- 2GB 内存 | ||
|
||
## 安装 openSUSE MicroOS | ||
|
||
MicroOS 快速安装指南另见[此处]。 | ||
|
||
[此处]: https://microos.opensuse.org/blog/2024-09-03-quickstart-fde-yast2/ | ||
|
||
## 安装 openSUSE Tumbleweed | ||
|
||
### 启动安装介质 | ||
|
||
- 按照工作流程进行操作,直到出现“建议分区”: | ||
- 分区:选择“引导设置(Guided Setup)”和“启用磁盘加密(Enable Disk Encryption)”,其他保持默认 | ||
- 继续安装直至“安装设置”: | ||
- 启动: | ||
- 将引导加载程序类型从 “GRUB2 for EFI” 更改为 “Systemd Boot”,忽略 “Systemd-boot support is work in Progress” 并继续 | ||
- 软件: | ||
- 安装额外的 `tmp2.0-tools`、`tpm2-0-tss` 和 `libtss2-tcti-device0` | ||
- 完成安装 | ||
|
||
### 完成 FDE 设置 | ||
|
||
启动新系统 | ||
|
||
- 输入密码以在启动期间解锁磁盘 | ||
- 登录 | ||
- Enroll system: | ||
- 具有 TPM2 芯片的设备:`sdbootutil enroll --method tpm2` | ||
- 使用 FIDO2 密钥的设备:`sdbootutil enroll --method fido2` | ||
- 推荐的可选步骤: | ||
- 升级您的 LUKS 密钥派生函数(对 `/etc/crypttab` 中列出的每个加密设备执行此操作): | ||
``` | ||
# cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id | ||
# cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id | ||
``` | ||
|
||
## 调整内核启动参数 | ||
|
||
内核命令行选项的配置文件是 `/etc/kernel/cmdline`。 | ||
|
||
编辑此文件后,调用 `sdbootutil update-all-entries` 来更新引导加载程序配置。如果该选项尚不存在或不起作用,解决方法是:`sdbootutil remove-all-kernels && sdbootutil add-all-kernels`。 | ||
|
||
## Re-enrollment | ||
|
||
如果预测系统(prediction system)出现故障,则必须为新的测量创建新的策略,以替换 TPM2 中存储的策略。 | ||
|
||
如果您有恢复 PIN 码,则运行: | ||
|
||
``` | ||
# sdbootutil --ask-pin update-predictions | ||
``` | ||
|
||
如果您没有恢复 PIN 码,您可以按照以下步骤设置: | ||
|
||
``` | ||
# sdbootutil unenroll --method=tpm2 | ||
# PIN=<new recovery PIN> sdbootutil enroll --method=tpm2 | ||
``` | ||
|
||
## 虚拟机 | ||
|
||
如果您的计算机是虚拟机,建议编辑 `/etc/sysconfig/fde-tools` 删除其中 `FDE_SEAL_PCR_LIST` 变量的 `0`。虚拟机管理程序的更新可能会更改 PCR0。由于此类更新在 VM 内部不可见,因此无法更新 PCR 值。所以,磁盘无法在下次启动时自动解密,需要输入恢复密钥并需要手动重新注册。 | ||
|
||
## 下一步行动 | ||
|
||
开发人员接下来准备: | ||
|
||
- 支持 grub2-BLS(grub2 遵循 [Boot Loader 规范]) | ||
- 添加对安装程序的支持(YaST2 和 Agama) | ||
- 如果存在 TPM2 芯片,请将其设为默认值 | ||
|
||
[Boot Loader 规范]: https://uapi-group.org/specifications/specs/boot_loader_specification/ | ||
|
||
欢迎提供任何的帮助! | ||
|
||
## 延伸阅读 | ||
|
||
- [全盘加密(FDE)](https://en.opensuse.org/Portal:MicroOS/FDE) | ||
- [Systemd-fde](https://en.opensuse.org/Systemd-fde) | ||
- [使用 TPM 和 FIDO2 的 Systemd 启动和全磁盘加密](https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/) | ||
|
||
---- | ||
|
||
原文:[Quickstart in Full Disk Encryption with TPM and YaST2](https://news.opensuse.org/2024/09/20/quickstart-fde-yast2/),作者:Thorsten Kukuk |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.