Kwiminyaka yakutshanje, iimodyuli ze-TPM ze-2.0 ziye zasuka ekubeni yimfihlelo ye-hardware ukuya kwindawo eqhelekileyo kuyo nayiphi na ikhompyutha yanamhlanje kunye ne-UEFI kunye ne-Secure Boot. Eli nqaku lichaza ukuba yintoni /dev/tpm0 kunye /dev/tpmrm0 kunye nendlela yokusebenzisa i-tpm2_pcrread kunye ne-tpm2_pcrextend. (kunye nomyalelo wayo wokwenyani kwi-tpm2-izixhobo), kunye nokuchaza ukuba zingena njani kwisiqalo esilinganisiweyo, uguqulelo oluntsonkothileyo lwediski, kunye nemigaqo-nkqubo esayiniweyo yePCR kwiLinux.
Amaxwebhu aluncedo akhona, kodwa asasazwe phakathi kwamaphepha e-systemd, amangeno e-wiki, kunye nezithuba ezixinene kakhulu; Apha siqokelela lonke ulwazi oluphambili (iiPCR, imizekelo ebonakalayo, imingcipheko kunye nokukhusela) ukuze abantu bezobugcisa, nokuba bengengazo iingcali ze-TPM, banokusebenza ngezi zixhobo ngaphandle kokulahleka kwiinkcukacha ezifihlakeleyo.
Yintoni i-TPM 2.0 kwaye kutheni unokukhathalela
IModyuli yeQonga elithembekileyo yi-chip yokhuseleko ehlala kwi-motherboard yakho (okanye ngaphakathi kwe-CPU njenge-fTPM/Intel PTT) kwaye isebenza njengevenkile ekhuselekileyo, i-random generator, kunye neengcambu zokuthembela kwinkqubo. Luxolo: ukuba awuyisebenzisi ayenzi nto., kodwa xa uyidibanisa kuqukuqelo lwakho lwesiqalo kunye noguqulelo oluntsonkothileyo lwediski, ibonelela ngoqinisekiso lwentembeko kunye nezitshixo zehardware ezikhuselweyo.
Ngokwenza, i-TPM ye-2.0 ikuvumela ukuba wenze iindlela ezimbini eziphambili zokusetyenziswa kwi-disk encryption: a) yenza / ugcine isitshixo esinamandla kwaye ukhusele ukusetyenziswa kwayo nge-PIN kunye ne-anti-brute force lock; b) vula into ebizwa ngokuba yi-boot measure, apho Icandelo ngalinye le-boot lilinganiswa kwiirekhodi ze-PCR, ngoko ke isitshixo "singasonganga" kuphela ukuba isixokelelwano asitshintshwanga (kwaye ngokuzithandela nge-PIN yokuqalisa kwangaphambili).
/dev/tpm0 kunye /dev/tpmrm0: iyantlukwano kunye nexesha lokusebenzisa nganye nganye
Kwi-Linux uya kubona izixhobo ezimbini zabalinganiswa xa i-TPM 2.0 ikhona. /dev/tpm0 lujongano “olukrwada” lweTPMngexesha /dev/tpmrm0 iveza ufikelelo ngoMlawuli weziBonelelo (umphathi ophindaphinda abathengi, olawula iiseshoni kunye nezibonelelo), ibe ngoyena ucetyiswa yi-tpm2-izixhobo kwiimeko ezininzi.
Ukuba awuqinisekanga ukuba i-TPM ikhona okanye ayikho, ungayivavanya eshushu. Ukuba /sys/class/tpm/ ayinanto okanye umyalelo wewiki awubuyiseli nto, akukho TPM ibonakala: Isenokungabikho ngokwasemzimbeni okanye ingasebenzi kwi-firmware.
# ¿Hay TPM 2.0?
ls /sys/class/tpm/
cat /sys/class/tpm/tpm*/tpm_version_major
# Dispositivos
ls -l /dev/tpm*
Xa zombini iinodi zesixhobo zikhona, izixhobo ze-tpm2 ziqhele ukubona /dev/tpmrm0 kwaye ziyisebenzise ngokuzenzekelayo. Ukuba ufuna ukunyanzela isixhobo, izixhobo ezininzi zamkela –tcti okanye usebenzise i-TCTI variables yemo engqongileyo, kodwa kwimisebenzi eqhelekileyo ayidli ngokuba yimfuneko.
IiPCR zeTPM: Zisebenza njani kwaye zilinganisa ntoni
Iirejista zokuCwangciswa kweQonga ziirekhodi ezigcina i-hashes (ngokuqhelekileyo i-SHA-256) yemeko yamacandelo abalulekileyo kwinqanaba ngalinye lokuqalisa. Ziyaqaliswa zibe zero kumjikelo wokunyusa amandla kwaye "zinokwandiswa" kuphela: ungaze ubhale kwakhona okanye ucime (ngaphandle kweemeko zokulungiswa kweempazamo ezifana ne-PCR 16).
Owona msebenzi ungundoqo lulwandiso: new_value = SHA256(current_value || SHA256(data))Le yindlela imilinganiselo ebotshelelwa ngayo kunye ngaphandle kokuvumela ukusetha kwakhona okungenelelayo. Lo mzekelo usetyenziselwa ukulinganisa i-firmware, uqwalaselo, uKhuseleko lwe-Boot, i-kernel, initrd, kunye ne-kernel parameters, phakathi kwezinye.
Kwizixhobo zale mihla uza kubona ii-PCR ezingama-24 (0–23). Ezona zifanelekileyo kwi-UEFI boot nge systemd zi:
-PCR 0: ikhowudi ye-firmware.
I-PCR 1: ulungelelwaniso lwe-firmware (useto lwe-UEFI).
–PCR 7: Khusela imo yokuQalisa kunye nezatifikethi ozithembayo.
– PCR 9: initrd(s) ilinganiswa ngekernel.
– I-PCR 11: UKI (Umfanekiso weKernel oManyeneyo) kunye namanqaku esigaba nge-systemd-stub/systemd-pcrphase.
-PCR 12: umgca womyalelo wekernel.
Funda kwaye wandise ii-PCR nge-tpm2-izixhobo: tpm2_pcrread kunye ne-tpm2_pcr_extend
Kwizixhobo ze-tpm2 ufundo lwenziwa nge tpm2_pcrread kunye nolwandiso nge tpm2_pcrextend. Ngamanye amaxesha uya kubona "tpm2_pcr_extend" ekubhekiselwa kuyo njengomsebenzi wengqiqo yokwandisa, kodwa Owona myalelo wesuite ngu tpm2_pcrextend.
Ukuhlola imeko yangoku yee-PCRs SHA-256, ilula ngolu hlobo:
# Leer PCRs en SHA-256 (ejemplos de índices habituales)
sudo tpm2_pcrread sha256:0,1,7,9,11,12
# O todos los PCRs SHA-256 disponibles
tpm2_pcrread sha256:all
Ukwandisa i-PCR kunye ne-hash yedatha engafanelekanga (njengomzekelo we-pedagogical, i-hash ye /etc/passwd), bala i-SHA-256 kwaye uyandise. Khumbula: i-TPM ayifumani datha enkulu, kodwa i-hash yayo, ngokwemida kunye noyilo.
# 1) Guardar el hash de /etc/passwd
echo -n $(sha256sum /etc/passwd | cut -d' ' -f1) > passwd.sha
# 2) Extender PCR 7 (ejemplo) con el hash previo
sudo tpm2_pcrextend 7:sha256=$(cat passwd.sha)
# 3) Ver el nuevo valor del PCR 7
tpm2_pcrread sha256:7
Ukuba ufuna ukuvelisa kwakhona imathematika eyandisiweyo ngaphandle kweTPM, Udibanisa ixabiso langoku le-PCR (i-binary) kunye ne-hash entsha kwaye usebenzisa i-SHA-256 kwakhona ukujonga iziphumo.
Ngaba iPCR inokusetwa ngokutsha?
Phantsi kweemeko eziqhelekileyo, akukho. Ifilosofi kukuba i-PCR ikhula kuphela kunye nezandisoKukho umkhamo omnye: I-PCR 16 iqhele ukugcinelwa "debug" kwaye inokusetwa ngokutsha kwiindlela ezithile, kodwa ayiloncedo njengengcambu yokhuseleko lwepolisi yakho.
IMeasured Boot, LUKS, kunye ne-systemd-cryptenroll: Ukubeka Amaqhekeza Ndawonye
Xa udibanisa iTPM kwidisk encryption yakho, unga "bophelela" isitshixo sokuvula kwiseti yeePCR. Ukuba kwi-boot yangoku ezo PCR zinamaxabiso afanayo naxa ubhalisa isitshixo, i-TPM ayivalwanga kwaye umthamo we-LUKS uvulwa ngokuzenzekelayo (kunye okanye ngaphandle kwe-PIN yokuqalisa kwangaphambili, ngokuxhomekeke kuqwalaselo lwakho).
Oku kwenziwa kakuhle kakhulu nge-systemd-cryptenroll kunye ne-systemd-cryptsetup. Ingcamango kukudala umthamo wakho, ubhalise iqhosha le-TPM, kwaye ungeze iqhosha lokubuyisela. ukuze ungashiywa ngaphandle ukuba imilinganiselo iyatshintsha (umzekelo, emva kokuhlaziya i-firmware okanye i-kernel).
# Ejemplo: crear LUKS, matricular TPM y añadir recuperación (pseudoflujo)
# 1) Crear el volumen con contraseña temporal
sudo cryptsetup luksFormat /dev/nvme0n1p2
# 2) Matricular TPM en LUKS usando PCRs concretos y PIN
sudo systemd-cryptenroll \
--tpm2-device=auto \
--tpm2-with-pin=yes \
--tpm2-pcrs=1+2+3+4 \
--wipe-slot=empty \
/dev/nvme0n1p2
# 3) Añadir clave de recuperación aleatoria
sudo systemd-cryptenroll --recovery-key /dev/nvme0n1p2
# 4) Abrir con TPM o con recovery cuando proceda
systemd-cryptsetup attach root /dev/nvme0n1p2 - tpm2-device=auto
Ukuba unyanzelisa ukungafani (umzekelo, wandisa iPCR 4 ngenjongo), i-TPM ayisayi kuphinda ikhulule isitshixo kwaye kuya kufuneka usebenzise isitshixo sokubuyisela. Ungaphinda ubhalise i-TPM ngamaxabiso amatsha ngoku usebenzisa –wipe-slot=tpm2 kunye nokunye ukuphunyezwa kwe-systemd-cryptenroll.
Zeziphi iiPCR onokuzikhetha kwaye ngoba
Okukhona unxulumanisa ii-PCR ezifanelekileyo, kokukhona unciphisa indawo ephezulu, kodwa kokukhona kuya kufuneka ubhalise kwakhona emva kweenguqu ezisemthethweni. Ezinye iikhrayitheriya ezisebenzayo:
-I-PCR 7 (i-Boot ekhuselekileyo): Kufuneka izinze kakhulu ukuba isitshixo sakho asitshintshi.
– PCR 0/1 (i-firmware kunye noqwalaselo): Ezi azifane zitshintshe; bafuna ukubhaliswa kwakhona emva kokuhlaziya i-firmware okanye ukutshintsha i-BIOS/UEFI.
-PCR 9/11/12 (kernel, initrd, UKI kunye ne cmdline): Ezi zitshintsha rhoqo ukuba awusebenzisi i-UKI okanye utyikityo oluzinzileyo / umgaqo-nkqubo.
Kwezinye iimeko-bume ibonwe inxulumanisa kuphela i-PCR 7, ixhomekeke kwi-Security Boot yokuqinisekisa i-kernel kunye ne-initrd ukuba ziqalwe njenge-UKI esayiniweyo kwaye isebenzisa inkqubo-boot leyo. ayikuvumeli ukuhlela iiparamitha zekernel xa iSB isebenza. Oko kuyasebenza, kodwa ukuba i-Boot yakho eKhuselekileyo ixhomekeke kwizitshixo zeqela lesithathu (ezinje ngeMicrosoft 3rd Party) kulula ukucwangcisa enye indlela yokuqalisa egcina iPCR 7 kwaye ke ngoko. Ayilolona khetho lungqongqo.
I-UKI kunye nemigaqo-nkqubo ye-PCR esayiniweyo: uzinzo ngaphandle kokuphulukana nokhuseleko
Isisombululo esisebenzayo sokunqanda ukubhalisa kwakhona ngalo lonke ixesha uhlaziya i-kernel kukusebenzisa I-UKI (Umfanekiso weKernel eManyeneyo) kunye nomgaqo-nkqubo wePCR osayiniweyoUvelisa iperi engundoqo, ubophe isitshixo sikawonkewonke kwi-TPM xa ubhalisa, kwaye usayine i-UKI yakho emva kohlaziyo ngalunye. I-TPM iyayithemba loo tyikityo kwaye ivumela ukuvuleka nokuba i-kernel hash ethile iyatshintsha.
Isixhobo somlinganiselo we-systemd kunye nomncedisi we-systemd-ukify wenza oku kube lula: ukify ipakethe i-kernel, initrd kunye ne-cmdline kwi-UKI (idla ngokulinganiswa kwi-PCR 11) kunye ne-systemd-measure isayina umgaqo-nkqubo. Nge-mkinitcpio, ukify inokudityaniswa ukuze emva kokufaka utyikityo luzenza ngokwalo.
# Esquema típico (pseudocomandos)
# 1) Crear claves para política PCR firmada
openssl genpkey -algorithm RSA -out /etc/kernel/pcr-initrd.key.pem -pkeyopt rsa_keygen_bits:3072
openssl req -new -x509 -key /etc/kernel/pcr-initrd.key.pem -out /etc/kernel/pcr-initrd.pub.pem -subj "/CN=UKI PCR Policy"
# 2) Configurar ukify/mkinitcpio para generar UKI y firmar política
# (consultar man ukify y systemd-measure para parámetros)
# 3) Matricular en LUKS atando PCRs y clave pública de la política
sudo systemd-cryptenroll \
--tpm2-device=auto \
--wipe-slot=tpm2 \
--tpm2-with-pin=yes \
--tpm2-pcrs=0+1+2+7 \
--tpm2-public-key=/etc/kernel/pcr-initrd.pub.pem \
--tpm2-public-key-pcrs=11 \
/dev/nvme0n1p2
Ngale ndlela, Ipolisi yakho ihlala izinzile ngokuchasene notshintsho lwe-kernel/initrd ukuba nje uqhubeka nokusayina i-UKI ngesitshixo sakho.Ukuba uhlaziya amagama ayimfihlo okanye utshintshe isethi yePCR yakho, kuya kufuneka ubhalise kwakhona.
Imizekelo yamakhonkco okulinganisa nge-systemd
Ngexesha lokuqalisa, i-systemd-stub kunye ne-systemd-pcrphase zandisa ii-PCR ngamaxesha athile. Umzekelo, “enter-initrd” irekhodwa kwiPCR 11, ukuvumela ukuvulwa ukuba kusebenze kuphela ngaphakathi kwe-initrd (ukunciphisa ii-vectors apho umhlaseli azama ukuphinda asebenzise isitshixo kamva).
Kwiinkqubo ezine-UKI, umxholo we-UKI ulinganiswa kwi-PCR 11; kwiinkqubo ngaphandle kwe-UKI, imilinganiselo ye-kernel iqala kwi-PCR 9 kwaye i-bootloader inokulinganisa i-cmdline kwi-PCR 12. Qinisekisa ukuba uyayigquma i-initrd kunye ne-cmdline kwipolisi yakho, okanye umntu unakho. emva kwendlu i initrd okanye isiqalo nge cmdline ekhohlakeleyo njenge init=/umgqomo/bash.
Imingcipheko yokwenyani: i-boot ebandayo, ukuphunga kwe-TPM, kunye nokunye
Yintoni enokonakala? Zininzi izinto ekufuneka uzazi xa ubonisa izoyikiso. Ukuhlaselwa kwe-boot ebandayo zisasebenza: ukuba ukuvula kuzenzekela ngokupheleleyo, umhlaseli unokuphinda amalinge angenamkhawulo. Ukunciphisa okucacileyo kukufuna i-PIN yangaphambili (i-PBA), ukunciphisa iinzame kumjikelezo wamandla omnye.
Olunye udidi yi ukuhlaselwa kwe-sniffing kwibhasi ye-TPMI-CPU icela isitshixo, i-TPM iyasithumela; ukuba ikhonkco licofiwe, isitshixo sinokuvuza. Ukuza kuthi ga ngoku, i-systemd iphumeza "iparameter encryption" ukwenzela ukuba utshintshiselwano luguqulelwe ngokuntsonkothileyo; ngenye indlela, ukusebenzisa i-fTPM/Intel PTT okanye inkumbulo efihliweyo kunciphisa utyhileko. Kukho imiboniso kawonke-wonke efikelelekayo ngokwentelekiso (nangee-microcontrollers) ebonisa ukuba nokwenzeka kwiilaptops zohlobo olukhulu.
Kukwakho nokuba semngciphekweni kwezemfundo kunye nokusebenza: TPM-Fail, faultTPM (enefuthe elibonakalayo kwi-AMD) kunye netyala i-bitpixie (CVE-2023-21563)Oku akuthethi ukuba i-TPM ayinamsebenzi, kodwa kufuneka ugcine i-firmware yakho isexesheni, uqonde imodeli yakho yesoyikiso, kwaye ungayithembi ngokumfamekileyo.
Ubume beBitLocker ngokuchasene nezi zoyikiso
Kwihlabathi leWindows, olona guqulelo lusetyenziswa kakhulu kwidisk yiBitLocker. Kuye kwaqatshelwa ngoku ukuba uqwalaselo olungagqibekanga lwayo (ukuvula ngokuzenzekelayo nge TPM kuphela) Ishiya ucango luvulekile kuzo zombini iibhuthi ezibandayo kunye nejelo le-TPM lokufunxa, njengoko lingaphumezi uguqulelo oluntsonkothileyo lweparamitha yesistim. Oku kwenza ukuba iikhomputha ezithile zeshishini zihlaselwe kwimizuzu nje embalwa.
Ingcebiso ekhoyo kukuba isebenze uqinisekiso lwe-pre-boot ngokusebenzisa imigaqo-nkqubo/ubhaliso okanye i-CLI, into engavezwanga ngokwaneleyo kumndilili womsebenzisi. Kwakhona, khumbula ukujonga apho iqhosha lokubuyisela ligcinwe khona: lihlala lihlala kwiakhawunti yomsebenzisi yeMicrosoft, leyo Yenye i-engile yomngcipheko ukuba ayilawulwa.
Iqhinga elikhubekisayo/eliKhuselayo: Faka ingcambu ye-LUKS ukunyanzela igama eliyimfihlo
Kukho i-vector enomdla xa kungekho siqinisekiso se-pre-boot. Umhlaseli unokufanisa isahlulelo sokwenyani se-LUKS, buyisela enye i-LUKS nge-UUID efanayo kunye negama lokugqitha alaziyo, kwaye uvule ikhompyuter. Ekubeni imilinganiselo ye-PCR ihambelana, i-TPM ikhupha isitshixo, kodwa ayihambelani ne-LUKS yobuxoki, ngoko i-initrd iya kunceda iqhosha "lokubuyisela". Ngokungenisa igama lokugqitha elaziwa kumhlaseli, inkqubo yakho ibaleka njengengcambu kwi initrd, kwaye ungenza ngoku orchestrate ukubiwa kwesitshixo soqobo (umzekelo, ngokunyusela ikopi yokwenyani phezu komsebenzi womnatha kunye nokusebenzisa i-systemd-cryptsetup).
Unciphiso olucacileyo: vula uqinisekiso lokuqalisa kwangaphambili, nyusa i-systemd-pcrphase ukubophelela ukuvuleka ngokungqongqo kwisigaba sokuqala, kwaye ucinge ngokulinganisa/ukubophelela umthamo wethagethi yeLUKS ngokunjalo (ifuna uyilo olunenkathalo ukunqanda izangqa ezikhohlakeleyo).
Ukukhetha ulwahlulo kunye nesitshixo sesibini: eyona ndlela isebenzayo
Gcina isitshixo sokubuyisela Kunyanzelekile: ukuba i-TPM okanye i-motherboard iyafa, isitshixo sakho esibotshelelwe kwi-TPM asinamsebenzi. I-LUKS ivumela i-slots ezininzi (i-TPM isebenzisa enye, ukubuyiswa kusebenzisa enye). Ukongeza, ukwahlula i/ kunye/nezahlulo zekhaya kunezibonelelo: ungafaka isicelo umlinganiselo ongqongqo nge TPM a/ kwaye usebenzise isitshixo esomeleleyo okanye isixhobo seFIDO2/YubiKey se/ikhaya, ukunciphisa ukuthembela ngokubanzi kwindlela enye.
Kwenzeka ntoni xa uhlaziya i-firmware okanye i-kernel?
Ukuba utshintsha i-firmware okanye uthinte iinketho ze-UEFI, ii-PCR ezifana ne-0/1 ziya kutshintsha kwaye i-TPM ayiyi kukhulula isitshixo uze ubhalise kwakhona. Ku i-kernel kunye ne-initrd, iinguqulelo ziyenzeka rhoqoUkuba awusebenzisi i-UKI enomgaqo-nkqubo osayiniweyo, uhlaziyo ngalunye lunokukunyanzela ukuba usebenzise inketho yokubuyisela kwaye ubhalise kwakhona kamva. Nge-UKI esayiniweyo, uyayisayina kwaye yiyo loo nto.
Amanqaku oluntu kunye nokuQwalasela
Kwezinye izikhokelo ezidumileyo zokusasazwa okuthile kuye kwacetyiswa bopha kuphela i-PCR 7 nanini na usebenzisa i-UKI kunye ne-systemd-boot, ixhomekeke kuKhuseleko lweziKhuseli zokuQalisa kunye nokungakwazi ukuhlela i-cmdline. Iyasebenza, kodwa kukho imingcipheko ukuba uthembele kumaqela esithathu. I-bug ikwabhaliwe kwixesha elidlulileyo apho ukubetha u-Enter kuza kuvelisa iqokobhe lokubuyisela emva kokuvula; ngumbono olungileyo ukugcina iinguqulelo zakho zihlaziyiwe ukunqanda izinto ezothusayo.
Izimvo ezinomdla zabelwana ngazo ngo-2025/06: Impazamo ye-TPM iyaqhubeka nokuchaphazela i-AMD ukuya kwenye indawo; iWikis yongeze amacandelo athile kwimigaqo-nkqubo yePCR esayiniweyo; kunye nomfakeli wonikezelo olunikezela nge-FDE nge TPM njengophawu lovavanyo lwavavanywa, kunye ne-hiccups ethile esebenzayo (ifuna ukubuyiswa kwisiqalo sokuqala, ukuxhomekeka kwi-snaps, ufihlo lwedisk kabini), umba ifanele uphicotho olunzulu.
Ukulandelelwa okugxile kwidisk encryption kwiWindows kwapapashwa ngo-2025/07. Isiphelo sisonke sigxininisa imfuno ye-PBA kunye noguqulelo oluntsonkothileyo lwetshaneli yeTPM., kunye nokuncitshiswa kokuxhomekeka kwizitshixo zomntu wesithathu kwi-Security Boot.
Iingcebiso zokusebenza nge-tpm2-izixhobo kunye ne-systemd
Ukusetyenziswa kwemihla ngemihla: Faka i-tpm2-izixhobo kunye ne-tpm2-tss. Isebenzisa /dev/tpmrm0 ngokungagqibekanga, kunye ne-tpm2_pcrread/tpm2_pcrextend yokuvavanya kunye nokulinga ii-PCRs. Gwema ukwandisa ii-PCR zemveliso kunye nedatha engafanelekanga: yenza oku kwiilebhu okanye usebenzise i-PCR 16 yokuvavanya.
Xa ubhalisa nge-systemd-cryptenroll: –tpm2-device=auto ibhaqa i-TPM; –tpm2-nge-pin yongeza i-PBA; –tpm2-pcrs=... khetha iiPCR zakho; –tpm2-public-key=… kwaye –tpm2-public-key-pcrs=… vula umgaqo-nkqubo we-PCR esayiniweyo (umzekelo, ubotshelelwe kwi-PCR 11 ye-UKI). Sukulibala -sula-isithuba xa ufuna ukucoca slot yangaphambili.
Ukuba awunayo i-TPM kunye ne-systemd yenza ukuba ulinde kwi-boot
Ngamanye amaxesha, emva kohlaziyo, inkonzo izama ukusebenzisa i-TPM nangona umatshini wakho ungenayo ibonakalayo, ebangela ukuphela kwexesha kwi-boot. Okokuqala jonga ukuba akukho /dev/tpm* ivelayo okanye amangeno kwi/sys/class/tpm.
# Verificación rápida
ls /dev/tpm*
ls /sys/class/tpm/
Ukuba akukho TPM, khangela /etc/crypttab yakho ungabinalo ukhetho olufana ne-tpm2-device=autoUkuba zikhona, zicime kwaye wakhe kwakhona i-initrd yakho. Unokukhubaza isigaba sokulinganisa kwiikhompyuter ngaphandle kwe-TPM:
# 1) Eliminar referencias TPM en /etc/crypttab y regenerar initrd
sudo mkinitcpio -P # (o dracut/rebuildinitrd según distro)
# 2) Evitar carga de módulos TPM si el firmware publica algo extraño
echo -e "blacklist tpm\nblacklist tpm_tis\nblacklist tpm_crb" | sudo tee /etc/modprobe.d/no-tpm.conf
# 3) Opcional: evitar pcrphase si te da problemas
sudo systemctl mask systemd-pcrphase.service
Oku kuphelisa ukulinda okungeyomfuneko ukuba izixhobo zakho azinayo iTPM. Ukuba kamva uvula i-TPM kwi-BIOS/UEFI, susa uluhlu olumnyama kwaye uvule iyunithi ukubuyisela imilinganiselo.
Izenzo ezilungileyo kunye nezigqibo zokuthembela
Abanye abantu bayayilumkela i-TPM kuba "yibhokisi emnyama," njengediski ezizifihlayo. Oku kukuthandabuza okufanelekileyo. Vavanya imodeli yakho yoloyiko kunye nokulinganisa ukusetyenziswa, ubumfihlo, kunye nokugcinwa. Kubantu abaninzi, i-TPM+PBA+ esayine i-UKI lukhubalo olukhulu lokhuseleko ngaphandle kokungqubana okugqithisileyo.
Kwihardware evumela oko, yongeza inkumbulo efihliweyo kwaye uphephe ukuthembela kwizitshixo zomntu wesithathu kwi-Security Boot; nciphisa ikhonkco kwezakho izitshixo xa kunokwenzeka. Gcina i-firmware kunye ne-kernel ihlaziywa ukubandakanya unciphiso lobuthathaka obupapashiweyo.
I-Mastering /dev/tpm0, /dev/tpmrm0, kunye ne-tpm2_pcrread/tpm2_pcr_extend imisebenzi ivula umnyango wokulinganisa i-boot kunye ne-robust disk encryption kwi-Linux; nge-UKI kunye nomgaqo-nkqubo we-PCR esayiniweyo, ufumana uzinzo lokusebenza, kwaye ukongeza i-PIN yokuqalisa kwangaphambili ikwakhusela kuhlaselo olusebenzayo ngakumbi. Isitshixo kukukhetha ii-PCRs kakuhle, sayina ukuba zeziphi iinguqu rhoqo kwaye uhlale ugcina isitshixo esilungileyo sokubuyisela..
