I tried this guide to enable tpm2 unlock but it didn’t work for me.
I also searched the forum for other tpm2 post but wasn’t able to find a solution.
configuration.nix, hardware-configuration.nix, secure-boot.nix
The command I used to enroll was:
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1ps
Relevant sections:
boot.initrd.availableKernelModules = [ "tpm_tis" "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.systemd.enable = true;
boot.initrd.systemd.enableTpm2 = true;
security.tpm2.enable = true;
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
# For debugging and troubleshooting Secure Boot.
sbctl
# This is needed to auto-unlock LUKS with TPM 2 - https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2
tpm2-tss
];
boot = {
loader = {
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true;
timeout = 1;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
# This is needed to auto-unlock LUKS with TPM 2 - https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2
initrd.systemd.enable = true;
};
}