Setting up TPM2 backed LUKS at root with secure boot in Ubuntu
As part of a new homeserver build I plan to finish this year, I wanted to look into where the ecosystem is regarding LUKS volumes unlocked by TPM. This was sparked from how seamless it was when I set up my framework last year.
I gave my self a few conditions for this setup I would like to meet. The first one is Secure boot, it’s 2025, I should be able to do this by now, I also became aware of tooling that makes this easier. I would like this setup to use sdboot, for really no particular reason than to try something else than grub. If I could fulfill this, UKI could also be a additional implementation detail.
I decided to use Ubuntu for this. Ubuntu 24.04 supports setting up LUKS on root as part of its installer, I used that for the initial LUKS setup.
The dependency chain for libtss2-esys does not include the required sysusers files to create the tss account in the initramfs. This should have been resolved in this commit, but I can only assume the configure script used in debian/ubuntu is not set up to output these (which Arch has done). Therefore we have to grab this manually.
