On Thu, Aug 16, 2007 at 11:35:33AM +0200, Ralf Rojahn wrote: > I would like to use trousers to seal (or bind) my root partition to > my TPM.
I have been busy overhauling the key module code in the ecryptfs-utils package for the last week and a half. I now have something that builds and runs, but it still needs further test and code review. It includes an updated TSPI key module that seals a key to the TPM (src/key_mod/ecryptfs_key_mod_tspi.c). http://downloads.sourceforge.net/ecryptfs/ecryptfs-utils-tspi-experimental.tar.bz2 > I have installed trousers and tpm-tools on a Fujitsu-Siemens ST5020 > Tablet-PC (which contains an Infineon 1.1 TPM hardware). > I am running on Gentoo Linux with a 2.6.21-r4 kernel. > > At this point, some questions appeared: > > 1. I found ecryptfs (http://ecryptfs.sourceforge.net) to be the only > Crypto-FS, that supports a TPM currently, is that true? Dave Safford got dm-crypt working with the TPM a couple of years back. I'm not sure if he ever made his code public. > 3. In this tutorial > (http://trousers.sourceforge.net/tpm_keyring2/quickstart.html) setting > up the TPM Keyring is shown by using a KDE-Application. I don't have X > installed, and perhaps someone could explain the basic ideas behind it, > so i could do this on the command line. The updated TSPI key module is just for sealing a key to a set of PCR's and then using that key if the PCR values match later on. For now, you will need to build and run src/utils/ecryptfs_generate_tpm_key.c manually to make that key and then specify the given UUID to the TSPI module on mount. It is very bleeding edge (just finished the code yesterday), so you will have to wait for a future non-experimental release for something a bit more presentable. In the meantime, if you are anxious to use the TPM right now, the ecryptfs-utils-tspi-experimental.tar.bz2 tarball has code that works for me at the moment. > As I said, my final goal is to seal my root partition to my TPM. I think there are others who are mounting their root partition via eCryptfs, given some patches that I have seen coming in, but I have never tested that myself. I recommend using the most recent upstream kernel, to make sure that you have all the most recent bugfixes for things like device nodes or pipes, and let me know if it actually works for you. > I already know that certain applications and the BIOS itself can create > hashes for important files and hand them over to the TPM, where they are > stored in PCRs. (or does the TPM calculate the hashes itself, i'm not > quite sure...) > Maybe at is possible to seal the encrypted partition to these PCRs. The TSPI key module in eCryptfs can be used to bind a key to the PCR values that are there. Of course, you need several links the chain for the PCR values to mean anything in terms of security. Mike
pgpPQ2uChg6a6.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ eCryptfs-users mailing list eCryptfs-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-users
