I'm a college student trying to complete the first part of a rather large project, but I'm new to TPM, and Linux. What I'm trying to do is have TPM handle automatic decryption of the root ext4 partition on the sd card upon boot. I have a Raspberry Pi 4 with Raspbian Buster installed. I've successfully encrypted the root already using this guide:
After that, I was able to type in a password at boot, so my next step was to try and automatically decrypt the sd card at boot with an Infineon TPM I have installed on the GPIO. My supporting software environment for the TPM includes tpm2-tools, tpm2-tss, and the tpm2-abrmd, and I can verify that all are working correctly.
I saw another post on stack exchange that mentioned using clevis along with the clevis-luks and clevis-tpm2 packages to accomplish this:
Use TPM2.0 to securely decrypt the hard drive in Linux — unattended
A contributor's answer to the post suggested to try the clevis bind command. I went ahead and tried it myself, and the command executes without issue, but when I reboot, it seems the TPM is not handling the decryption as I am still prompted for a password.
I even found another guide that mentions using dracut with clevis-dracut so that the clevis module is loaded early, thus the sd card should automatically decrypt - assuming that the clevis module is communicating with the TPM to "unlock" the sd card, but that still hasn't worked for me. That guide can be found here:
TPM Encryption in Fedora Linux
I realize it's not Fedora I'm working with, but most of what's in that guide should still apply. My question is, what am I doing wrong here? If there's anyone that may be able to shed some light on my approach, I would greatly appreciate it.
