Add TPM cryptenroll instructions

Add instructions for using tpm2 and fido2 to unlock a drive in linux.
Also include systemd service for auto-enrolling the key after a hardware
change.

framework_fedora.md

@@ -45,19 +45,20 @@ cat /etc/dnf/dnf.conf
 hostnamectl set-hostname ducolaptop
 ```
 
-## BTRFS Optimizations
+## BTRFS
+
+Make sure you enable fstrim
 
 ```bash
-sudo vim /etc/fstab
-# subvol=root,x-systemd.device-timeout=0,ssd,noatime,space_cache,commit=120,compress=zstd,discard=async 0 0
-# subvol=home,x-systemd.device-timeout=0,ssd,noatime,space_cache,commit=120,compress=zstd,discard=async 0 0
-
-sudo vim /etc/crypttab
-# luks-fcc669e7-32d5-43b2-ba03-2db6a7f5b33d UUID=fcc669e7-32d5-43b2-ba03-2db6a7f5b33d none discard
-
 sudo systemctl enable fstrim.timer
 ```
 
+If you mount your disk at /mnt/btr_pool you can see the usage for each volume with:
+
+```bash
+btrfs filesystem du -s /mnt/btr_pool/*
+```
+
 ## Install updates
 
 ```bash
@@ -402,26 +403,76 @@ options =
 writeback-device = /dev/zvol/tarta-zoot/swap-writeback
 ```
 
-## Automatic Disk Decryption with TPM2
+## TPM LUKS
+
+### Automatic Disk Decryption with TPM2
 
 https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95
 
 ```bash
-# Add decryption key to tpm. 
-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/nvme0n1p3
+# Add decryption key to tpm.
+# For machines where prioritizing a secure boot environment is important we need to
+# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning
+# secure boot is enabled
+systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7
 
-# Wipe old keys and enroll new key. You have to execute this command again after a kernel upgrade.
-systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7
+# For machines where prioritizing auto-unlock is more important (think desktop PCs where
+# you might sell or give away the drive at the end of its life) You can leave tpm2-pcrs
+# empty with the understanding that an attacker could modify the boot environment and
+# your disk will automatically unlock.
+systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""
 
 # Add tpm2 configuration option to /etc/crypttab
 luks-$UUID UUID=disk-$UUID none tpm2-device=auto,discard
 
-# Add rd.luks.options=tpm2-device=auto to grub
-grubby --args="rd.luks.options=tpm2-device=auto" --update-kernel=ALL
+# Add tpm2-tss to dracut
+# Edit /etc/dracut.conf.d/tpm2.conf
+add_dracutmodules+=" tpm2-tss "
 
 dracut -f
 ```
 
+### Automatic Disk Decryption with Fido2
+
+```bash
+# Add decryption key to fido device.
+systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=fido2 --fido2-device=auto
+
+# Add tpm2 configuration option to /etc/crypttab
+luks-$UUID UUID=disk-$UUID none fido2-device=auto,discard
+
+# Add fido2 to dracut
+# Edit /etc/dracut.conf.d/fido2.conf
+add_dracutmodules+=" fido2 "
+
+dracut -f
+```
+
+### Re-enroll on boot
+
+After booting and unlocking your drive you can set up a systemd service to automatically
+re-enroll your keys so you don't have to remember to run "systemd-cryptenroll" every
+time something changes.
+
+1. Generate a 64+ character random password with the generator of your choosing
+2. `cryptsetup luksAddKey /dev/nvme0n1p3` paste in your password when it asks for it
+3. vim /etc/systemd/system/systemd-cryptenroll-tpm2-autoenroll.service
+
+    ```conf
+    [Unit]
+    Description=Automatically runs systemd-cryptenroll on login
+
+    [Service]
+    Type=oneshot
+    ExecStart=/usr/bin/systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7
+    Environment=PASSWORD='PUT GENERATED PASSWORD HERE'
+
+    [Install]
+    WantedBy=multi-user.target
+    ```
+
+4. `systemctl enable systemd-cryptenroll-tpm2-autoenroll`
+
 ## Firefox GPU Rendering
 
 https://community.frame.work/t/linux-battery-life-tuning/6665