Re: TPM2 for disk encryption, clevis

2020-07-09 Thread Marius Vollmer
Kevin Fenzi writes: > What does 'support for clevis' there look like? you mean just binding a > encrypted drive to look for clevis servers on boot? Yes, currently we only support the "tang" pin. > I think tpm2 might be good, but lots of machines don't have tpm2. > So I would think it would

Re: TPM2 for disk encryption, clevis

2020-07-09 Thread Marius Vollmer
Richard Hughes writes: > On Wed, 8 Jul 2020 at 09:59, Marius Vollmer wrote: >> As I understand it, there is a lot of evolving OS specific subtlety >> involved, so I am asking specifically how this would look on current >> Fedora and what to expect in the near future. > > Just a heads-up; the

Re: TPM2 for disk encryption, clevis

2020-07-08 Thread Richard Hughes
On Wed, 8 Jul 2020 at 09:59, Marius Vollmer wrote: > As I understand it, there is a lot of evolving OS specific subtlety > involved, so I am asking specifically how this would look on current > Fedora and what to expect in the near future. Just a heads-up; the PCR0 changes when you upgrade the

Re: TPM2 for disk encryption, clevis

2020-07-08 Thread Kevin Fenzi
On Wed, Jul 08, 2020 at 11:58:58AM +0300, Marius Vollmer wrote: > Hi, > > we have some rudimentary support for Clevis in the Cockpit Web Console, > and now the question is, should we add support for "tpm2" to that? What does 'support for clevis' there look like? you mean just binding a encrypted