我编写了此用户数据以在 UEFI 服务器上安装 Ubuntu 20.04。
#cloud-config
autoinstall:
update: yes
early-commands:
- systemctl stop ssh
apt:
geoip: true
preserve_sources_list: false
primary:
- arches: [amd64, i386]
uri: http://fr.archive.ubuntu.com/ubuntu
- arches: [default]
uri: http://ports.ubuntu.com/ubuntu-ports
packages:
- modemmanager
- network-manager
- socat
identity: {hostname: edgegateway, password: verysecure,
realname: Cyril, username: cyril}
keyboard: {layout: fr, toggle: null, variant: ''}
locale: en_US
network:
ethernets:
eth0: { dhcp4: true, dhcp-identifier: mac, optional: true }
eth1: { dhcp4: true, dhcp-identifier: mac, optional: true }
version: 2
ssh:
allow-pw: true
authorized-keys: ['ssh-rsa ....']
install-server: true
storage:
config:
- {ptable: gpt, path: /dev/sda, wipe: superblock, preserve: false, name: '',
grub_device: false, type: disk, id: disk-sda}
- {device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1,
preserve: false, grub_device: true, type: partition, id: partition-0}
- {fstype: fat32, volume: partition-0, preserve: false, type: format, id: format-0}
- {device: disk-sda, size: 1073741824, wipe: superblock, flag: '', number: 2,
preserve: false, type: partition, id: partition-1}
- {fstype: ext4, volume: partition-1, preserve: false, type: format, id: format-1}
- {device: disk-sda, size: -1, wipe: superblock, flag: '', number: 3,
preserve: false, type: partition, id: partition-2}
- {volume: partition-2, key: 'verysecure', preserve: false, type: dm_crypt,
id: dm_crypt-0}
- name: ubuntu-vg
devices: [dm_crypt-0]
preserve: false
type: lvm_volgroup
id: lvm_volgroup-0
- {name: swap, volgroup: lvm_volgroup-0, size: 8G, preserve: false, type: lvm_partition,
id: lvm_partition-0}
- {fstype: swap, volume: lvm_partition-0, preserve: false, type: format, id: format-4}
- {name: ubuntu-lv, volgroup: lvm_volgroup-0, size: -1, preserve: false,
type: lvm_partition, id: lvm_partition-1}
- {fstype: ext4, volume: lvm_partition-1, preserve: false, type: format, id: format-3}
- {device: format-3, path: /, type: mount, id: mount-3}
- {device: format-4, path: '', type: mount, id: mount-4}
- {device: format-1, path: /boot, type: mount, id: mount-1}
- {device: format-0, path: /boot/efi, type: mount, id: mount-0}
swap: {swap: 0}
version: 1
第一次启动时,我运行一个脚本来设置 TPM 中的密码:
apt update
apt dist-upgrade -y
apt install -y clevis-luks clevis-tpm2 luksmeta tpm-udev tpm2-tools
password="verysecure"
clevis luks bind -f -d /dev/sda3 tpm2 '{"pcr_ids":"7"}' <<< $(echo $password)
echo $password |clevis encrypt tpm2 '{"pcr_ids":"8,9"}'
apt install -y clevis-initramfs
一切运行良好,但还不够安全。
- 如何加密 /boot?我想我只需要删除
{device: disk-sda, size: 536870912, wipe: superblock, flag: boot, number: 1, preserve: false, grub_device: true, type: partition, id: partition-0}
并{device: format-1, path: /boot, type: mount, id: mount-1}
- 如何处理 Grub?它能从 TPM 中检索密码吗?
- 我需要为 Grub 设置一个 TPM 密码,并为 Luks 设置另一个密码吗?
提前感谢您的回答/代码片段
答案1
只需按照以下 URL 中的“以存储在 TPM2 中的密码作为保护器的 LUKS 磁盘加密方案”部分进行操作即可:https://tpm2-software.github.io/2020/04/13/Disk-Encryption.html