On Tue, Nov 13, 2018 at 10:16 AM Daniel McAllister <[email protected]> wrote: > > Hello All, > > I am developing on something that I call "An encrypted overlay file system > with tpm2.0" for coreos. The feature is basically a new dracut module which > will mount a new file system on top of the normal file system as an overlay. > This new file system is luks encrypted and the disk encryption key can be > stored in the tpm2.0 chipset. > I have added a new cmdline argument which represents the following: > -What is the device name for the encrypted data (the 'writes' will go on this > partitions). > -The disk encryption key is sealed to what PCRs > -The nvram index where the disk encryption key is > > Missing features that is maybe helpful: > -Master recovery passphrase if the tpm2.0 fails to give the disk encryption > key > > I would like to ask some input and also on what you think on this feature. Is > it needed, you see reasonable chance that this merge request will be accepted. > The code is not fully polished, but here are the two repositories: > https://github.com/rasztasd/coreos-overlay > https://github.com/rasztasd/bootengine > > I would like to merge it as soon as possible (if possible), so any input will > be appreciated.
Thanks for sharing this, but we are unlikely to merge new features at this time. Container Linux is in maintenance mode through at least 2019, when Fedora CoreOS ( https://coreos.fedoraproject.org/ ) will be the actively developed community distro. Since your work is a general dracut module, you could try to have it packaged in Fedora through their normal process and start the discussion of having it installed in Fedora CoreOS. You can join #fedora-coreos on freenode or subscribe to [email protected] if you'd like to get involved with development. Thanks. David
