build EU OS test image with support for LUKS unlocking with both TPM and FIDO2
A unique selling feature for EU OS shall be security AND user convenience. One way to augment security is full-disk-encryption (FDE).
I would like to enable FDE for the PoC test image with unlocking through the TPM and at best also an FIDO2 USB key.
Read more about this here:
https://matthewd.xyz/2025/03/01/how-to-unlock-a-luks2-disk-with-a-tpm2-chip/
FIDO2 is currently challenging because of this limitation:
https://github.com/fedora-silverblue/issue-tracker/issues/546
However, I got told in the Matrix room #bootc:fedoraproject.org that:
If you're building your own image, you can regenerate initramfs with additional modules. https://github.com/ublue-os/bluefin/blob/906683b9b3ae5ef9ffb5ce5c646eb26e34c54e18/system_files/shared/usr/lib/dracut/dracut.conf.d/90-ublue.conf#L1 https://github.com/ublue-os/bluefin/blob/906683b9b3ae5ef9ffb5ce5c646eb26e34c54e18/build_files/base/19-initramfs.sh#L14
For EU OS, we build our own image with blue-build. Blue-build offers documentation on initramfs:
https://blue-build.org/reference/modules/initramfs/
Relevant discussion in the blue build community: https://www.answeroverflow.com/m/1267016686515650633
Quote:
Ublue has some just scripts in their images that will also allow you to setup Secure Boot (ujust enroll-secure-boot-key) and then setup a TPM lock (ujust setup-luks-tpm-unlock) which would allow your trusted hardware to unlock the drive for you. If you were to plug your boot drive into another PC, it would require your encryption password to unlock and mount it. You don't have to use that if you want to require a password. It's more of a convenience feature while securing your data at rest.
Estimated adaptation in the recipe.yml file:
- add initramfs module call at the very end to trigger generation at image build-times
- install module for fido2 support
- learn on how these ujust scripts can be used and called to help with enrollement
References: