- https://wiki.archlinux.org/title/User:Krin/Secure_Boot,_full_disk_encryption,_and_TPM2_unlocking_install
- https://webcache.googleusercontent.com/search?q=cache:oKFoIOw1RKsJ:https://lunaryorn.com/unlock-luks-rootfs-with-tpm2-key&cd=5&hl=de&ct=clnk&gl=de&client=firefox-b-d
apt update
apt install --yes openssh-server debootstrap gdisk dosfstools mdadm lvm2
systemctl start sshd
DISK1=/dev/vda
DISK2=/dev/vdb
HOSTNAME=bookworm-secureboot-test
MIRROR=http://deb.debian.org/debian
NIC=$(ip -o -4 route show to default | awk '{print $5}')
sgdisk -Z -n1:2048:+512M -t1:EF00 -n2:0:0 -t2:FD00 $DISK1
sgdisk -R $DISK2 $DISK1
#todo: optimize chunksize
mdadm --create --verbose /dev/md127 --level=1 --raid-devices=2 --metadata=0.90 ${DISK1}1 ${DISK2}1
mdadm --create --verbose /dev/md126 --level=1 --raid-devices=2 --metadata=1.2 ${DISK1}2 ${DISK2}2
#todo: optimize chunksize
cryptsetup luksFormat /dev/md126
cryptsetup luksOpen /dev/md126 raid_crypt
pvcreate pv_root /dev/mapper/raid_crypt
vgcreate vg_root /dev/mapper/raid_crypt
lvcreate lv_root vg_root
lvcreate -l100%free -n lv_root vg_root
mkdosfs -F 32 -s 1 -n EFI /dev/md127
#todo: optimize blocksize
mkfs -t ext4 -L root /dev/mapper/vg_root-lv_root
mount /dev/mapper/vg_root-lv_root /mnt
mkdir /mnt/efi
mount /dev/md127 /mnt/efi
mkdir /mnt/run
mount -t tmpfs tmpfs /mnt/run
mkdir /mnt/run/lock
debootstrap bookworm /mnt $MIRROR
echo "/dev/disk/by-id/md-uuid-$(mdadm --detail /dev/md127 | grep "UUID" | cut -d ":" -f2- | cut -d " " -f2) /efi vfat defaults 0 0" > /mnt/etc/fstab
echo $HOSTNAME > /mnt/etc/hostname
echo -e "127.0.1.1\t$HOSTNAME" >> /mnt/etc/hosts
echo -e "auto $NIC\niface $NIC inet dhcp" > /mnt/etc/network/interfaces.d/$NIC
echo "deb [check-valid-until=false] $MIRROR bookworm main" > /mnt/etc/apt/sources.list
mount --make-private --rbind /dev /mnt/dev
mount --make-private --rbind /proc /mnt/proc
mount --make-private --rbind /sys /mnt/sys
chroot /mnt bash --login
passwd
ln -s /proc/self/mounts /etc/mtab
apt update
apt install --yes console-setup locales chrony dosfstools wget dracut efitools efibootmgr sbsigntool python3 tpm2-tools linux-image-amd64 linux-doc systemd-boot systemd-boot-efi mokutil gdisk
dpkg-reconfigure locales tzdata keyboard-configuration console-setup
# locale en_US.UTF8 + keyboard German + timezone Europe/Berlin + "Latin1 and Latin5" + Terminus + 8x16
mkdir /root/secure-boot-keys
cd /root/secure-boot-keys
wget https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
chmod +x mkkeys.sh
sed -i 's/rsa:2048/rsa:4096/g' mkkeys.sh
sed -i 's/read NAME/NAME=$1/g' mkkeys.sh
./mkkeys.sh "$(cat /etc/hostname)"
cp DB.cer PK.cer KEK.cer /efi/
nano /etc/dracut.conf.d/99-uki.conf
cat /etc/dracut.conf.d/99-uki.conf
hostonly=yes
hostonly_cmdline=yes
reproducible=yes
uefi=yes
uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
uefi_secureboot_cert=/root/secure-boot-keys/DB.crt
uefi_secureboot_key=/root/secure-boot-keys/DB.key
add_dracutmodules+=" tpm2-tss "
early_microcode=yes
dracut --kver 6.0.0-5-amd64 --force
systemd-cryptenroll --wipe-slot=tpm2 /dev/md126
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+2+3+4+5+7 /dev/md126
SYSTEMD_RELAX_ESP_CHECKS=1 bootctl install
sbsign --key /root/secure-boot-keys/DB.key --cert /root/secure-boot-keys/DB.crt --output /efi/EFI/systemd/systemd-bootx64.efi /efi/EFI/systemd/systemd-bootx64.efi
sbsign --key /root/secure-boot-keys/DB.key --cert /root/secure-boot-keys/DB.crt --output /efi/EFI/BOOT/bootx64.efi /efi/EFI/BOOT/bootx64.efi
wait for boot to fail and drop into the dracut emergency shell
mdadm --assemble --scan
# -> /dev/md127 has been started with 1 drive (out of 2)
systemctl start cryptsetup.target
lvm pvscan
lvm vgscan
lvm lvscan
lvm lvchange -ay vg_root/lv_root
mount -t ext4 /dev/mapper/vg_root-lv_root /sysroot
# ctrl+D to continue boot
# /dev/vda: working drive, /dev/vdb: new drive
sgdisk -R /dev/vdb /dev/vda
mdadm --grow /dev/md126 --raid-devices=1 --force # get rid of "removed" devices
mdadm --grow /dev/md127 --raid-devices=1 --force
mdadm --manage /dev/md126 --add /dev/vdb2
mdadm --manage /dev/md127 --add /dev/vdb1
mdadm --grow /dev/md127 --raid-devices=2
mdadm --grow /dev/md126 --raid-devices=2