We currently have UEFI booting up GRUB which boots up Linux. We need to implement secureboot. We're using a TPM to store our keys. Does GRUB2 support TPM - I read the only version of GRUB that supports TPM, i.e. TrustedGRUB does not support UEFI. Is there a GRUB version that supports TPM? Or, is the only alternative to replace GRUb with LinuxBoot, i.e. UEFI ->(Secureboot) LinuxBoot -> (secureboot) Linux Kernel instead of UEFI -> (Secureboot) GRUB -> (secureboot) Linux Kernel Are there any significant advantages in using LinuxBoot over GRUB?
2
- TPM not directly related to UEFI Secure Boot. phoronix.com/… You have to install the signed versions of grub, kernel & any drivers. If proprietary driver like nVidia's blob, you have to create your own "trust" MOK key for that as Ubuntu cannot sign it. wiki.ubuntu.com/UEFI/SecureBootoldfred– oldfred2022-02-21 18:04:22 +00:00Commented Feb 21, 2022 at 18:04
- Why do you think the only alternative option is LinuxBoot? Multiple Linux-compatible UEFI bootloaders exist – not just GRUB.grawity– grawity2022-02-22 09:32:33 +00:00Commented Feb 22, 2022 at 9:32
Add a comment |
1 Answer
grub2 supports TPM in the sense that it updates the PCR to include grub entries and it supports secure boot. Subsequent bootloader pieces (including clevis) can use the PCR to verify the grub binary, kernel and initrd binaries, and kernel command line have not been tampered with.
- Thanks for the clarification. So, there's no need for us to switch to Linuxboot (linuxboot.org), right? if grub2 can update PCRs and also supports Secureboot, then we may as well continue with GRUB2, isn't it?user515439– user5154392022-02-22 09:19:52 +00:00Commented Feb 22, 2022 at 9:19
- Right. Assuming you set up the next step correctly and use the appropriate PCRs to unlock an encrypted root filesystem... It may be possible to get grub to use the PCR to unlock the boot partition as well, but that requires a newer grub than my distro currently uses.user10489– user104892022-02-22 12:19:38 +00:00Commented Feb 22, 2022 at 12:19
- 1@user10489 Don't you also have to make sure the TPM support and config is built into
core.img, since that's the only thing which the firmware will extend the PCRs with on its own?forest– forest2022-05-09 01:16:35 +00:00Commented May 9, 2022 at 1:16 - Not sure about that, I just now that the grub with Ubuntu 20.04 supports adding PCR log entries (and automatically does it without needing to be configured). A subsequent version of grub is suppose to handle pulling a secret from the TPM to decrypt a boot volume, I look forward to trying that in Ubuntu 22.04 eventually.user10489– user104892022-05-09 05:12:35 +00:00Commented May 9, 2022 at 5:12
- @forest Yes, if you don't do that it's possible to tamper with the tpm module itself.ThePirate42– ThePirate422022-08-25 13:39:57 +00:00Commented Aug 25, 2022 at 13:39