Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TPM2 support for encrypted volumes LUKS or btrfs #76

Open
alexminder opened this issue Oct 1, 2024 · 2 comments
Open

TPM2 support for encrypted volumes LUKS or btrfs #76

alexminder opened this issue Oct 1, 2024 · 2 comments

Comments

@alexminder
Copy link

Does the ugrd support TPM to unseal encrypted volumes?
If no, can it be implemented?
@desultory
Copy link
Owner

https://github.com/desultory/cattleguard
I started working on this. I considered implementing Clevis but haven't figured out the codebase.

There are various ways this can be done, some methods requiring writing to nvram, other methods can bundle "context" within the initramfs.

NVRAM is not unlimited, and including context in the initramfs itself disrupts TPM PCR reads. There are a lot of bad ways to do this, and I personally use a Yubikey on all of my machines, so I don't have a personal reason to add this support.

If anyone wants to add it, or look into it more, I'll be happy to include it, as long as it doesn't work in some way that could potentially hurt user safety.

@desultory
Copy link
Owner

https://wiki.gentoo.org/wiki/Trusted_Platform_Module#Create_a_TPM_PCR_policy_for_data_sealing

I think I added this section for the purpose of doing this, if you want to read about the process more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexminder @desultory