From: octane indice <octane@alinto.com>
To: Zaolin <zaolin@das-labor.org>
Cc: dm-crypt@saout.de, Nicolae Paladi <n.paladi@gmail.com>,
".. ink .." <mhogomchungu@gmail.com>
Subject: Re: [dm-crypt] TPM support for LUKS partitions
Date: Fri, 01 Mar 2013 10:02:29 +0100 [thread overview]
Message-ID: <1362128549.51306ea5eedc1@www.inmano.com> (raw)
In-Reply-To: <20130228042541.7b4903d4@Haruhi.lan>
En réponse à Zaolin <zaolin@das-labor.org> :
> TPM support is hard.... I am working at the company
> which created the trusted grub, tpmmananger and
> tpm infineon kernel driver. All of you guys want to
> use the TPM software stack named TrouSers.
> This idea is really bad beacause it is an incomplete
> and broken tss.
>
I use a /boot partition which contains a kernel,
an initrd and a sealed blob. TrustedGrub is used
to boot the system.
I use a custom initrd which will open the sealed blob
only if PCRs are OK. Then the content of this blob is
piped to cryptsetup. If everything is OK, the
ciphered partition is open.
> The idea of TPM support in cryptsetup is great but i
> wanted to use the keyctl kernelspace key management
> in order to be free from TrouSers and initrd depencies.
>
> There are also some known problems with Trusted
> Boot Systems:
>
> * Consistent resealing after changes with PCR pre
> calculation. <-- It is really big shit.
Can you explain more on that? Do you have any links?
> * Multi User support
I don't see where it could be interesting on
the boot ?
> * Migration, this means backup abillity.
> * Key Store of TrouSers
>
> I had same idea a long time ago but i didn't finished my
> project.
>
> see -> www.tpmcrypt.org
>
> I guess it makes more sense to implement this in
> cryptsetup as keyutils backend itself. It is also
> needed to modify the dm-crypt kernel interface and
> libdevmapper implementation.
>
>
> Regards Zaolin
>
Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com
next prev parent reply other threads:[~2013-03-01 9:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-27 13:26 [dm-crypt] TPM support for LUKS partitions Nicolae Paladi
2013-02-27 17:47 ` Kent Yoder
2013-02-27 18:50 ` .. ink ..
2013-02-28 3:25 ` Zaolin
2013-03-01 9:02 ` octane indice [this message]
2013-02-28 3:30 ` Zaolin
2013-02-28 16:43 ` Kent Yoder
-- strict thread matches above, loose matches on Subject: below --
2012-11-28 1:45 Kent Yoder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1362128549.51306ea5eedc1@www.inmano.com \
--to=octane@alinto.com \
--cc=dm-crypt@saout.de \
--cc=mhogomchungu@gmail.com \
--cc=n.paladi@gmail.com \
--cc=zaolin@das-labor.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.