@Daedra probably you can do it, i never did, but that means that every time you create an initrd you must do all settings again... Thats not very difficult if you wrote a script for that job. But why to make your system vulnerable? I mean if you need encrypted and privacy the BEST over all is what you are doing now... type passwords.
Scenario: An attacker uses a rootkit to compromise the operating system and access TPM-stored keys.
modern rootkit, is a type of malware designed to maintain persistent and undetected access to the system.
The rootkit gives the attacker near-total control over the system, including processes that interact with the TPM. This control allows them to manipulate or monitor TPM-related functions.
The rootkit might monitor the operating system's interaction with the TPM, intercepting data during retrieval of the LUKS key. Alternatively, the rootkit might modify scripts or processes that interact with the TPM to force it to reveal stored keys.
Once the rootkit has the key, the attacker can use it to unlock encrypted partitions without needing a password. This allows them to access sensitive data on the device, compromising the security of LUKS encryption.
SO TPM is -1 for LUCKS usage...
Scenario2: A cracker had physical access to your laptop. There are out there hardware tools to create a clone of the TPM or directly manipulate the TPM's internals to override security checks. This allows them to retrieve sensitive data, such as encryption keys, without going through the normal authorization mechanisms.
Once the attacker has bypassed TPM security, they can extract the encryption key used for passwordless booting and subsequently use it to decrypt any LUKS-encrypted data. This exposes sensitive data and renders the initial encryption meaningless.
There are plenty example like these, but lets say you dont have TOP secrets in your laptop, and you none of those super crackers will touch you.
In theory you can do it some how like this:
check your system what version of TPM support 1.2 or 2, also you will see if a block of system memory has been reserved for the TPM, showing that it is properly detected and initialized during boot etc..
Code:
dmesg | grep -i tpm
assume you have 2 version you need these tools:
https://tpm2-tools.readthedocs.io/en/latest/INSTALL/
make your test and see if you can interact properly , for example
Generate random data using the TPM to confirm it is functional.
and
Code:
tpm2_pcrread sha256:0
Read a Platform Configuration Register (PCR) to ensure the TPM can report values.
If everything go right so far then create a key file to use with LUKS instead of a password
Code:
dd if=/dev/urandom of=/root/luks-key bs=32 count=1
cryptsetup luksAddKey /dev/sdXY /root/luks-key
Now store the key securely in the TPM
Code:
tpm2_nvdefine -x 0x1500016 -a "owner" -s 32 -t "ownerwrite|ownerread"
tpm2_nvwrite -x 0x1500016 -a "owner" -i /root/luks-key
Now hack your initrd.gz
Code:
make a folder someware and cd to it, then
gunzip -c /boot/initrd.gz | cpio -i
Now you must install tpm2-tools to the initramfs so it can interact with TPM at boot time.
Copy the TPM binary and any necessary dependencies to the initramfs. You might need to include libraries from your system that tpm2-tools relies on (idk?!)
Code:
cp /usr/bin/tpm2_nvread bin/ # Copy tpm2-tools
cp /lib64/libtss2* lib64/ # Copy necessary libraries
Paths may be different... idk
also in theory you must modify and run this script in also
Code:
#!/bin/sh
# Read the key from TPM
tpm2_nvread -x 0x1500016 -a "owner" > /tmp/luks-key
# Unlock the LUKS partition
cryptsetup luksOpen /dev/sdXY luks-partition --key-file /tmp/luks-key
maybe here you can find more infos how to
hack initrd
any way if you have success so far
Code:
find . | cpio -o -H newc | gzip > /boot/initrd-new.gz
now make GRUB to use the initrd-
new.gz
Code:
EDIT /boot/grub/grub.cfg
Reboot your system and see if the boot process unlocks the LUKS partition without prompting for a password.
More or less thats the steps. But i m sure you understand the security implications...andthe risks.