On Mon, Feb 24, 2020 at 03:22:28PM +0100, Julius Zint wrote:
boot(8) supports the machine specific command "tpm". This allows a
user to:

1: read the current contents of the Platform Control Registers (PCR)
  with the "pcr" parameter

  machine tpm p[cr]

2: seal a user supplied secret to the current PCR values and store it
  in the second block on a disk, that can be altered via a parameter.
  WARNING: If there is any other data in this block, it will be
  overwritten without asking again.

  machine tpm s[eal] secret [DiskNumber]

3: unseal a previously sealed secrent and display it to the user. This
  command just reads the second block of the disk that can be
  specified by the user and unseals it via the TPM

  machine tpm u[nseal] [DiskNumber]

I hope you are enjoying your (well-earned) vacation.

I can't tell from the instructions how the FDE encryption key is stored -- do we manually seal it to the TPM and then manually unseal and copy/paste it every time we boot? Or is it assumed the user will write a script to handle this -- a script which itself will have to be measured by the TPM?

Reply via email to