From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oAbZNYQUuI7p for ; Thu, 28 Feb 2013 03:33:25 +0100 (CET) Received: from das-labor.org (das-labor.org [IPv6:2a01:4f8:100:63c2::2]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Thu, 28 Feb 2013 03:33:25 +0100 (CET) Date: Thu, 28 Feb 2013 04:25:41 +0100 From: Zaolin Message-ID: <20130228042541.7b4903d4@Haruhi.lan> In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] TPM support for LUKS partitions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: ".. ink .." Cc: dm-crypt@saout.de, Nicolae Paladi Hi, TPM support is hard.... I am working at the company which created the trusted grub, tpmmananger and tpm infineon kernel driver. All of you guys want to use the TPM software stack named TrouSers. This idea is really bad beacause it is an incomplete and broken tss. The idea of TPM support in cryptsetup is great but i wanted to use the keyctl kernelspace key management in order to be free from TrouSers and initrd depencies. There are also some known problems with Trusted Boot Systems: * Consistent resealing after changes with PCR pre calculation. <-- It is really big shit. * Multi User support * Migration, this means backup abillity. * Key Store of TrouSers I had same idea a long time ago but i didn't finished my project. see -> www.tpmcrypt.org I guess it makes more sense to implement this in cryptsetup as keyutils backend itself. It is also needed to modify the dm-crypt kernel interface and libdevmapper implementation. Regards Zaolin