Re: TPM2 for disk encryption, clevis
Kevin Fenzi writes: > What does 'support for clevis' there look like? you mean just binding a > encrypted drive to look for clevis servers on boot? Yes, currently we only support the "tang" pin. > I think tpm2 might be good, but lots of machines don't have tpm2. > So I would think it would need to be optional? Of course. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: TPM2 for disk encryption, clevis
Richard Hughes writes: > On Wed, 8 Jul 2020 at 09:59, Marius Vollmer wrote: >> As I understand it, there is a lot of evolving OS specific subtlety >> involved, so I am asking specifically how this would look on current >> Fedora and what to expect in the near future. > > Just a heads-up; the PCR0 changes when you upgrade the system > firmware. Yeah, that is the fragility that Matthew is talking about here, right? https://mjg59.dreamwidth.org/48897.html How far along are we with implementing the "measure keys and policy into PCR7" scheme? Is it maybe done? Is that actually the plan for Fedora, or somehting else? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: TPM2 for disk encryption, clevis
On Wed, 8 Jul 2020 at 09:59, Marius Vollmer wrote: > As I understand it, there is a lot of evolving OS specific subtlety > involved, so I am asking specifically how this would look on current > Fedora and what to expect in the near future. Just a heads-up; the PCR0 changes when you upgrade the system firmware. Dell already requested that fwupd somehow "informs" clevis about the new PCR0, but until vendors start supplying this in the firmware metadata it's not super useful to know "it's going to be different". Richard. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: TPM2 for disk encryption, clevis
On Wed, Jul 08, 2020 at 11:58:58AM +0300, Marius Vollmer wrote:
> Hi,
>
> we have some rudimentary support for Clevis in the Cockpit Web Console,
> and now the question is, should we add support for "tpm2" to that?
What does 'support for clevis' there look like? you mean just binding a
encrypted drive to look for clevis servers on boot?
>
> As I understand it, there is a lot of evolving OS specific subtlety
> involved, so I am asking specifically how this would look on current
> Fedora and what to expect in the near future.
>
> Here is the discussion that prompted my question:
>
> https://github.com/cockpit-project/cockpit/issues/14313[1]
>
> In most concrete terms: Which PCRs should we use on which version of
> Fedora? ("None" is a totally nice answer.)
>
> I don't think we can let the user enter the PCR numbers, that requires
> way to much intimate knowledge of the current state of support for
> secure boot of their OS. I.e., the best way I have to answer that for
> myself is to ask here.
>
> The user needs to be shielded from that knowledge, I'd say, and ideally
> clevis would already shield me from it, but I am happy to do it in
> Cockpit.
I think tpm2 might be good, but lots of machines don't have tpm2.
So I would think it would need to be optional?
kevin
signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
