diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs index 38bd505..334c2d9 100644 --- a/docs/astro.config.mjs +++ b/docs/astro.config.mjs @@ -18,7 +18,10 @@ export default defineConfig({ }, { label: "Features", - autogenerate: { directory: "features" }, + items: [ + { slug: "features/secure-boot" }, + { slug: "features/tpm-disk-unlock" }, + ], }, ], }), diff --git a/docs/src/content/docs/features/secure-boot.mdx b/docs/src/content/docs/features/secure-boot.mdx index f023c74..27e3154 100644 --- a/docs/src/content/docs/features/secure-boot.mdx +++ b/docs/src/content/docs/features/secure-boot.mdx @@ -52,23 +52,6 @@ sudo nix run nixpkgs#sbctl enroll-keys -- --microsoft -## TPM disk unlock - -With secure boot in place, TPM can be used to automatically unlock encrypted -partitions. After enabling this feature in the BIOS, setup your partitions. For -each encrypted partition, setup disk unlock by replacing `` -with its identifier, e.g. `nvme0n1p1`, `sda1` or `disk/by-label/NIXOS`. - - - - -```sh "" -sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 /dev/ -``` - - - - ## Troubleshooting ### Outdated secure boot keys @@ -112,42 +95,8 @@ sudo nix run nixpkgs#sbctl reset -### Outdated TPM disk unlock - -After an OS or UEFI update using TPM disk unlock, the disks may not be -automatically unlocked and you will be prompted for the encryption password on -boot. The following steps might resolve this issue. - - -
    -
  1. - -For each encrypted partition, remove disk unlock by replacing -`` with its identifier, e.g. `nvme0n1p1`, `sda1` or -`disk/by-label/NIXOS`. - - - - -```sh -sudo systemd-cryptenroll --wipe-slot tpm2 /dev/ -``` - - - - -
    2. -
  2. - -[Setup TPM disk unlock](#tpm-disk-unlock) again. - -
    3. -
- - ## Further reading - Setting up [lanzaboote](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) -- [TPM disk unlock](https://jnsgr.uk/2024/04/nixos-secure-boot-tpm-fde/#tpm-unlock-of-root-partition) on Nix diff --git a/docs/src/content/docs/features/tpm-disk-unlock.mdx b/docs/src/content/docs/features/tpm-disk-unlock.mdx new file mode 100644 index 0000000..d656fc9 --- /dev/null +++ b/docs/src/content/docs/features/tpm-disk-unlock.mdx @@ -0,0 +1,67 @@ +--- +title: TPM disk unlock +description: Learn how to set up TPM disk unlock on NixOS. +--- + +import { Aside, Steps, Tabs, TabItem } from "@astrojs/starlight/components"; + + + +## Setup + +With secure boot in place, TPM can be used to automatically unlock encrypted +partitions. After enabling this feature in the BIOS, setup your partitions. For +each encrypted partition, setup disk unlock by replacing `` +with its identifier, e.g. `nvme0n1p1`, `sda1` or `disk/by-label/NIXOS`. + + + + +```sh "" +sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 /dev/ +``` + + + + +## Troubleshooting + +### Outdated TPM disk unlock + +After an OS or UEFI update using TPM disk unlock, the disks may not be +automatically unlocked and you will be prompted for the encryption password on +boot. The following steps might resolve this issue. + + +
    +
  1. + +For each encrypted partition, remove disk unlock by replacing +`` with its identifier, e.g. `nvme0n1p1`, `sda1` or +`disk/by-label/NIXOS`. + + + + +```sh +sudo systemd-cryptenroll --wipe-slot tpm2 /dev/ +``` + + + + +
    2. +
  2. + +[Setup TPM disk unlock](#tpm-disk-unlock) again. + +
    3. +
+ + +## Further reading + +- [TPM disk unlock](https://jnsgr.uk/2024/04/nixos-secure-boot-tpm-fde/#tpm-unlock-of-root-partition) + on Nix