[dm-crypt] TPM support for LUKS partitions
octane at alinto.com
Fri Mar 1 10:02:29 CET 2013
En réponse à Zaolin <zaolin at das-labor.org> :
> TPM support is hard.... I am working at the company
> which created the trusted grub, tpmmananger and
> tpm infineon kernel driver. All of you guys want to
> use the TPM software stack named TrouSers.
> This idea is really bad beacause it is an incomplete
> and broken tss.
I use a /boot partition which contains a kernel,
an initrd and a sealed blob. TrustedGrub is used
to boot the system.
I use a custom initrd which will open the sealed blob
only if PCRs are OK. Then the content of this blob is
piped to cryptsetup. If everything is OK, the
ciphered partition is open.
> The idea of TPM support in cryptsetup is great but i
> wanted to use the keyctl kernelspace key management
> in order to be free from TrouSers and initrd depencies.
> There are also some known problems with Trusted
> Boot Systems:
> * Consistent resealing after changes with PCR pre
> calculation. <-- It is really big shit.
Can you explain more on that? Do you have any links?
> * Multi User support
I don't see where it could be interesting on
the boot ?
> * Migration, this means backup abillity.
> * Key Store of TrouSers
> I had same idea a long time ago but i didn't finished my
> see -> www.tpmcrypt.org
> I guess it makes more sense to implement this in
> cryptsetup as keyutils backend itself. It is also
> needed to modify the dm-crypt kernel interface and
> libdevmapper implementation.
> Regards Zaolin
Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com
More information about the dm-crypt