Re: TPM2 for disk encryption, clevis

2020-07-09 Thread Marius Vollmer
Kevin Fenzi  writes:

> What does 'support for clevis' there look like? you mean just binding a
> encrypted drive to look for clevis servers on boot?

Yes, currently we only support the "tang" pin.

> I think tpm2 might be good, but lots of machines don't have tpm2.
> So I would think it would need to be optional?

Of course.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org


Re: TPM2 for disk encryption, clevis

2020-07-09 Thread Marius Vollmer

Richard Hughes  writes:

> On Wed, 8 Jul 2020 at 09:59, Marius Vollmer  wrote:
>> As I understand it, there is a lot of evolving OS specific subtlety
>> involved, so I am asking specifically how this would look on current
>> Fedora and what to expect in the near future.
>
> Just a heads-up; the PCR0 changes when you upgrade the system
> firmware.

Yeah, that is the fragility that Matthew is talking about here, right?

https://mjg59.dreamwidth.org/48897.html

How far along are we with implementing the "measure keys and policy into
PCR7" scheme?  Is it maybe done?  Is that actually the plan for Fedora,
or somehting else?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org


Re: TPM2 for disk encryption, clevis

2020-07-08 Thread Richard Hughes
On Wed, 8 Jul 2020 at 09:59, Marius Vollmer  wrote:
> As I understand it, there is a lot of evolving OS specific subtlety
> involved, so I am asking specifically how this would look on current
> Fedora and what to expect in the near future.

Just a heads-up; the PCR0 changes when you upgrade the system
firmware. Dell already requested that fwupd somehow "informs" clevis
about the new PCR0, but until vendors start supplying this in the
firmware metadata it's not super useful to know "it's going to be
different".

Richard.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org


Re: TPM2 for disk encryption, clevis

2020-07-08 Thread Kevin Fenzi
On Wed, Jul 08, 2020 at 11:58:58AM +0300, Marius Vollmer wrote:
> Hi,
> 
> we have some rudimentary support for Clevis in the Cockpit Web Console,
> and now the question is, should we add support for "tpm2" to that?

What does 'support for clevis' there look like? you mean just binding a
encrypted drive to look for clevis servers on boot?
> 
> As I understand it, there is a lot of evolving OS specific subtlety
> involved, so I am asking specifically how this would look on current
> Fedora and what to expect in the near future.

> 
> Here is the discussion that prompted my question:
> 
> https://github.com/cockpit-project/cockpit/issues/14313[1]
> 
> In most concrete terms: Which PCRs should we use on which version of
> Fedora?  ("None" is a totally nice answer.)
> 
> I don't think we can let the user enter the PCR numbers, that requires
> way to much intimate knowledge of the current state of support for
> secure boot of their OS.  I.e., the best way I have to answer that for
> myself is to ask here.
> 
> The user needs to be shielded from that knowledge, I'd say, and ideally
> clevis would already shield me from it, but I am happy to do it in
> Cockpit.

I think tpm2 might be good, but lots of machines don't have tpm2. 
So I would think it would need to be optional?

kevin


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org