On Thu, Aug 16, 2007 at 11:35:33AM +0200, Ralf Rojahn wrote:
> I would like to use trousers to seal (or bind) my root partition to
> my TPM.

I have been busy overhauling the key module code in the ecryptfs-utils
package for the last week and a half. I now have something that builds
and runs, but it still needs further test and code review. It includes
an updated TSPI key module that seals a key to the TPM
(src/key_mod/ecryptfs_key_mod_tspi.c).

http://downloads.sourceforge.net/ecryptfs/ecryptfs-utils-tspi-experimental.tar.bz2

> I have installed trousers and tpm-tools on a Fujitsu-Siemens ST5020 
> Tablet-PC (which contains an Infineon 1.1 TPM hardware).
> I am running on Gentoo Linux with a 2.6.21-r4 kernel.
> 
> At this point, some questions appeared:
> 
> 1. I found ecryptfs (http://ecryptfs.sourceforge.net) to be the only 
> Crypto-FS, that supports a TPM currently, is that true?

Dave Safford got dm-crypt working with the TPM a couple of years
back. I'm not sure if he ever made his code public.

> 3. In this tutorial 
> (http://trousers.sourceforge.net/tpm_keyring2/quickstart.html) setting 
> up the TPM Keyring is shown by using a KDE-Application. I don't have X 
> installed, and perhaps someone could explain the basic ideas behind it, 
> so i could do this on the command line.

The updated TSPI key module is just for sealing a key to a set of
PCR's and then using that key if the PCR values match later on. For
now, you will need to build and run
src/utils/ecryptfs_generate_tpm_key.c manually to make that key and
then specify the given UUID to the TSPI module on mount. It is very
bleeding edge (just finished the code yesterday), so you will have to
wait for a future non-experimental release for something a bit more
presentable. In the meantime, if you are anxious to use the TPM right
now, the ecryptfs-utils-tspi-experimental.tar.bz2 tarball has code
that works for me at the moment.

> As I said, my final goal is to seal my root partition to my TPM.

I think there are others who are mounting their root partition via
eCryptfs, given some patches that I have seen coming in, but I have
never tested that myself. I recommend using the most recent upstream
kernel, to make sure that you have all the most recent bugfixes for
things like device nodes or pipes, and let me know if it actually
works for you.

> I already know that certain applications and the BIOS itself can create 
> hashes for important files and hand them over to the TPM, where they are 
> stored in PCRs. (or does the TPM calculate the hashes itself, i'm not 
> quite sure...)
> Maybe at is possible to seal the encrypted partition to these PCRs.

The TSPI key module in eCryptfs can be used to bind a key to the PCR
values that are there. Of course, you need several links the chain for
the PCR values to mean anything in terms of security.

Mike

Attachment: pgpPQ2uChg6a6.pgp
Description: PGP signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
eCryptfs-users mailing list
eCryptfs-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-users

Reply via email to