Description
A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).
Setup
Install a system with an encrypted root filesystem. See this testcase for further details.
If using a virtual machine you will need to install swtpm and swtpm-tools on the host.
sudo dnf install swtpm swtpm-tools
Using virt-manager add the TPM to the the virtual machine, selecting the default TPMv2. If the host system offers a hardware TPM you can also use that but it is not required for this test case.
How to test
Verify decryption is working via TPM2
echo foo | clevis encrypt tpm2 '{}' | clevis decrypt
Get the UUID of the encrypted device
UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1) DEV=$(blkid --uuid $UUID)
Check encryption details of the device
cryptsetup luksDump $DEV
Verify the passphrase before setting
cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct
Setup Clevis to decrypt via TPM2 on boot
clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE
Reboot the system and see if it is booted without user intervention.
Results
- The installed system should boot to log in without needing the passphrase for the encrypted filesystem.