Ubuntu 20.04 自动安装程序 UEFI 全盘加密

我编写了此用户数据以在 UEFI 服务器上安装 Ubuntu 20.04。

#cloud-config
autoinstall:
  update: yes
  early-commands:
    - systemctl stop ssh
  apt:
    geoip: true
    preserve_sources_list: false
    primary:
    - arches: [amd64, i386]
      uri: http://fr.archive.ubuntu.com/ubuntu
    - arches: [default]
      uri: http://ports.ubuntu.com/ubuntu-ports
  packages:
    - modemmanager
    - network-manager
    - socat
  identity: {hostname: edgegateway, password: verysecure,
    realname: Cyril, username: cyril}
  keyboard: {layout: fr, toggle: null, variant: ''}
  locale: en_US
  network:
    ethernets:
        eth0: { dhcp4: true, dhcp-identifier: mac, optional: true }
        eth1: { dhcp4: true, dhcp-identifier: mac, optional: true }
    version: 2
  ssh:
    allow-pw: true
    authorized-keys: ['ssh-rsa ....']
    install-server: true
  storage:
    config:
    - {ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '', 
      grub_device: false, type: disk, id: disk-sda}
    - {device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1,
      preserve: false, grub_device: true, type: partition, id: partition-0}
    - {fstype: fat32, volume: partition-0, preserve: false, type: format, id: format-0}
    - {device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2,
      preserve: false, type: partition, id: partition-1}
    - {fstype: ext4, volume: partition-1, preserve: false, type: format, id: format-1}
    - {device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3,
      preserve: false, type: partition, id: partition-2}
    - {volume: partition-2, key: 'verysecure', preserve: false, type: dm_crypt,
      id: dm_crypt-0}
    - name: ubuntu-vg
      devices: [dm_crypt-0]
      preserve: false
      type: lvm_volgroup
      id: lvm_volgroup-0
    - {name: swap, volgroup: lvm_volgroup-0, size: 8G, preserve: false, type: lvm_partition,
      id: lvm_partition-0}
    - {fstype: swap, volume: lvm_partition-0, preserve: false, type: format, id: format-4}
    - {name: ubuntu-lv, volgroup: lvm_volgroup-0, size: -1, preserve: false,
      type: lvm_partition, id: lvm_partition-1}
    - {fstype: ext4, volume: lvm_partition-1, preserve: false, type: format, id: format-3}
    - {device: format-3, path: /, type: mount, id: mount-3}
    - {device: format-4, path: '', type: mount, id: mount-4}
    - {device: format-1, path: /boot, type: mount, id: mount-1}
    - {device: format-0, path: /boot/efi, type: mount, id: mount-0}
    swap: {swap: 0}
  version: 1

第一次启动时，我运行一个脚本来设置 TPM 中的密码：

apt update
apt dist-upgrade -y
apt install -y clevis-luks clevis-tpm2 luksmeta tpm-udev tpm2-tools
password="verysecure"
clevis luks bind -f -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' <<< $(echo $password)
echo $password |clevis encrypt tpm2 '{"pcr_ids":"8,9"}'
apt install -y clevis-initramfs

一切运行良好，但还不够安全。

• 如何加密 /boot？我想我只需要删除{device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, type: partition, id: partition-0}并{device: format-1, path: /boot, type: mount, id: mount-1}
• 如何处理 Grub？它能从 TPM 中检索密码吗？
• 我需要为 Grub 设置一个 TPM 密码，并为 Luks 设置另一个密码吗？

提前感谢您的回答/代码片段