add !tpm module

[MauroSoli]

No description provided.

[picodotdev]

Is there a arch linux wiki page where is documented the tpm module and its confiuration as kernel module?

[MauroSoli]

Sure: https://wiki.archlinux.org/title/Trusted_Platform_Module

"Alternatively, you can mention your TPM driver inside MODULES() of mkinitcpio.conf" .

Should be great if we added TPM support (the goal could be unlock LUKS system partition).

[picodotdev]

I am not sure if it is necessary to use that systemd-cryptenroll commands also so maybe adding the tpm is not enough and not sure if it is really usefull without using secure boot.

[MauroSoli]

yes, you're right.
It's recommended to use secure boot. Either systemd-cryptenroll and sbctl commands have to run after first setup (reboot it's required to recorder firmware fingerprint on tpm) , steps are simple:

Enroll secure boot keys

arch-chroot /mnt 'sbctl create-keys; sbctl enroll-keys; sbctl status; sbctl verify'

Enroll luks system key to tpm

systemd-cryptenroll /dev/nvme0n1p1 --tpm2-pcrs=1+7+8 --tpm2-device=auto --wipe-slot=tpm2

But these steps require loading tpm module on kernel.

Thus because of Alis was not born to run scripts after first reboot (at least I think so) it's not relevant to add tpm module on alis.conf, we can add it manually.

[picodotdev]

I merge the PR to add the tmp module as an example module that can be configured. But I still need to read more guides for secure boot, full disk encryption, sign the kernels and other security related topics, and find a proper way to add this on alis.