diff --git a/framework_fedora.md b/framework_fedora.md index 6acfd60..a5fa63d 100644 --- a/framework_fedora.md +++ b/framework_fedora.md @@ -45,19 +45,20 @@ cat /etc/dnf/dnf.conf hostnamectl set-hostname ducolaptop ``` -## BTRFS Optimizations +## BTRFS + +Make sure you enable fstrim ```bash -sudo vim /etc/fstab -# subvol=root,x-systemd.device-timeout=0,ssd,noatime,space_cache,commit=120,compress=zstd,discard=async 0 0 -# subvol=home,x-systemd.device-timeout=0,ssd,noatime,space_cache,commit=120,compress=zstd,discard=async 0 0 - -sudo vim /etc/crypttab -# luks-fcc669e7-32d5-43b2-ba03-2db6a7f5b33d UUID=fcc669e7-32d5-43b2-ba03-2db6a7f5b33d none discard - sudo systemctl enable fstrim.timer ``` +If you mount your disk at /mnt/btr_pool you can see the usage for each volume with: + +```bash +btrfs filesystem du -s /mnt/btr_pool/* +``` + ## Install updates ```bash @@ -402,26 +403,76 @@ options = writeback-device = /dev/zvol/tarta-zoot/swap-writeback ``` -## Automatic Disk Decryption with TPM2 +## TPM LUKS + +### Automatic Disk Decryption with TPM2 https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95 ```bash -# Add decryption key to tpm. -systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/nvme0n1p3 +# Add decryption key to tpm. +# For machines where prioritizing a secure boot environment is important we need to +# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning +# secure boot is enabled +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 -# Wipe old keys and enroll new key. You have to execute this command again after a kernel upgrade. -systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7 +# For machines where prioritizing auto-unlock is more important (think desktop PCs where +# you might sell or give away the drive at the end of its life) You can leave tpm2-pcrs +# empty with the understanding that an attacker could modify the boot environment and +# your disk will automatically unlock. +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs="" # Add tpm2 configuration option to /etc/crypttab luks-$UUID UUID=disk-$UUID none tpm2-device=auto,discard -# Add rd.luks.options=tpm2-device=auto to grub -grubby --args="rd.luks.options=tpm2-device=auto" --update-kernel=ALL +# Add tpm2-tss to dracut +# Edit /etc/dracut.conf.d/tpm2.conf +add_dracutmodules+=" tpm2-tss " dracut -f ``` +### Automatic Disk Decryption with Fido2 + +```bash +# Add decryption key to fido device. +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=fido2 --fido2-device=auto + +# Add tpm2 configuration option to /etc/crypttab +luks-$UUID UUID=disk-$UUID none fido2-device=auto,discard + +# Add fido2 to dracut +# Edit /etc/dracut.conf.d/fido2.conf +add_dracutmodules+=" fido2 " + +dracut -f +``` + +### Re-enroll on boot + +After booting and unlocking your drive you can set up a systemd service to automatically +re-enroll your keys so you don't have to remember to run "systemd-cryptenroll" every +time something changes. + +1. Generate a 64+ character random password with the generator of your choosing +2. `cryptsetup luksAddKey /dev/nvme0n1p3` paste in your password when it asks for it +3. vim /etc/systemd/system/systemd-cryptenroll-tpm2-autoenroll.service + + ```conf + [Unit] + Description=Automatically runs systemd-cryptenroll on login + + [Service] + Type=oneshot + ExecStart=/usr/bin/systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 + Environment=PASSWORD='PUT GENERATED PASSWORD HERE' + + [Install] + WantedBy=multi-user.target + ``` + +4. `systemctl enable systemd-cryptenroll-tpm2-autoenroll` + ## Firefox GPU Rendering https://community.frame.work/t/linux-battery-life-tuning/6665