>> I can't tell from the instructions how the FDE encryption key is stored --
>> do we manually seal it to the TPM and then manually unseal and copy/paste it
>> every time we boot? Or is it assumed the user will write a script to handle
>> this -- a script which itself will have to be
As part of my master thesis i wrote code to enable a trusted boot
with OpenBSD. This short manual is for everyone who wants to try it.
Feedback on the code and the feature itself is also appreciated.
1: OpenBSD 6.5 (might also work with 6.6 but only tested with 6.5)
> Are there any downsides though? For example, would resume from
> hibernation still work for such a setup?
It should work with hibernation without any problems, but i did
not test this extensively.
> More so, for the less knowledgeable of us, how does this relate to
> UEFI's "Secure
> I'm not really in a position to reflash my machine but I would still be
> curious for details.
There is no need to reflash your firmware if the system has a integrated
and supported TPM 1.2 chip.
The prototype uses a Static Root of Trust for Measurment (SRTM) approach
where the Chain of
> If an evil made came by and got access to my machine, they would still
> be able to tamper with the bootloader code to harvest the FDE password
> when I returned.
> I want to put the whole bootloader (including the code used to decrypt
> the softraid-FDE-encrypted
> Index: arch/amd64/stand/libsa/gidt.S
> RCS file: /cvs/src/sys/arch/amd64/stand/libsa/gidt.S,v
> retrieving revision 1.11
> diff -u -p -u -r1.11 gidt.S
> --- arch/amd64/stand/libsa/gidt.S 27 Oct 2012 15:43:42 -
the following code snipped is from sys/arch/amd64/stand/libsa/gidt.S
/* pass BIOS return values back to caller */
movb%bh , 0xe*4(%esp)
/* clear NT flag in eflags */
/* Martin Fredriksson */
Mail list logo