On Mon, Feb 24, 2020 at 03:22:28PM +0100, Julius Zint wrote:
boot(8) supports the machine specific command "tpm". This allows a
1: read the current contents of the Platform Control Registers (PCR)
with the "pcr" parameter
machine tpm p[cr]
2: seal a user supplied secret to the current PCR values and store it
in the second block on a disk, that can be altered via a parameter.
WARNING: If there is any other data in this block, it will be
overwritten without asking again.
machine tpm s[eal] secret [DiskNumber]
3: unseal a previously sealed secrent and display it to the user. This
command just reads the second block of the disk that can be
specified by the user and unseals it via the TPM
machine tpm u[nseal] [DiskNumber]
I hope you are enjoying your (well-earned) vacation.
I can't tell from the instructions how the FDE encryption key is stored
-- do we manually seal it to the TPM and then manually unseal and
copy/paste it every time we boot? Or is it assumed the user will write a
script to handle this -- a script which itself will have to be measured
by the TPM?