* [dm-crypt] TPM support for LUKS partitions
@ 2013-02-27 13:26 Nicolae Paladi
2013-02-27 17:47 ` Kent Yoder
2013-02-27 18:50 ` .. ink ..
0 siblings, 2 replies; 8+ messages in thread
From: Nicolae Paladi @ 2013-02-27 13:26 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 327 bytes --]
Hi,
I would like to find out more about TPM support for LUKS partitions
(based on this post from last year):
http://www.saout.de/pipermail/dm-crypt/2012-November/002905.html
Are there any activities/plans blueprints currently active?
Does anyone know if more distros besides RHEL and Fedora
are supported?
cheers,
/Nicolae.
[-- Attachment #2: Type: text/html, Size: 619 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] TPM support for LUKS partitions
2013-02-27 13:26 [dm-crypt] TPM support for LUKS partitions Nicolae Paladi
@ 2013-02-27 17:47 ` Kent Yoder
2013-02-27 18:50 ` .. ink ..
1 sibling, 0 replies; 8+ messages in thread
From: Kent Yoder @ 2013-02-27 17:47 UTC (permalink / raw)
To: Nicolae Paladi; +Cc: dm-crypt
On Wed, Feb 27, 2013 at 7:26 AM, Nicolae Paladi <n.paladi@gmail.com> wrote:
> Hi,
>
> I would like to find out more about TPM support for LUKS partitions
> (based on this post from last year):
> http://www.saout.de/pipermail/dm-crypt/2012-November/002905.html
>
> Are there any activities/plans blueprints currently active?
> Does anyone know if more distros besides RHEL and Fedora
> are supported?
Not at the moment, nor are there plans for me to do this work. :-)
Patches are always welcome.
Kent
> cheers,
> /Nicolae.
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] TPM support for LUKS partitions
2013-02-27 13:26 [dm-crypt] TPM support for LUKS partitions Nicolae Paladi
2013-02-27 17:47 ` Kent Yoder
@ 2013-02-27 18:50 ` .. ink ..
2013-02-28 3:25 ` Zaolin
2013-02-28 3:30 ` Zaolin
1 sibling, 2 replies; 8+ messages in thread
From: .. ink .. @ 2013-02-27 18:50 UTC (permalink / raw)
To: Nicolae Paladi; +Cc: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 759 bytes --]
I would like to find out more about TPM support for LUKS partitions
> (based on this post from last year):
> http://www.saout.de/pipermail/dm-crypt/2012-November/002905.html
>
> Are there any activities/plans blueprints currently active?
> Does anyone know if more distros besides RHEL and Fedora
> are supported?
>
>
I have a project hosted at the below link that uses a plugin architecture
to retrieve passphrases for LUKS volumes.It can currently has plugins to
get keys from gnome keyring and kde kwallet among others and adding support
for TPM's shouldnt be hard.I havent done so because i dont have hardware to
test.I can add support if you have the hardware and are willing to do the
testing for me.
project page: http://code.google.com/p/zulucrypt/
[-- Attachment #2: Type: text/html, Size: 1316 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] TPM support for LUKS partitions
2013-02-27 18:50 ` .. ink ..
@ 2013-02-28 3:25 ` Zaolin
2013-03-01 9:02 ` octane indice
2013-02-28 3:30 ` Zaolin
1 sibling, 1 reply; 8+ messages in thread
From: Zaolin @ 2013-02-28 3:25 UTC (permalink / raw)
To: .. ink ..; +Cc: dm-crypt, Nicolae Paladi
Hi,
TPM support is hard.... I am working at the company which created the trusted grub, tpmmananger and tpm infineon kernel driver.
All of you guys want to use the TPM software stack named TrouSers. This idea is really bad beacause it is an incomplete and broken tss.
The idea of TPM support in cryptsetup is great but i wanted to use the keyctl kernelspace key management in order to be free from TrouSers and initrd depencies.
There are also some known problems with Trusted Boot Systems:
* Consistent resealing after changes with PCR pre calculation. <-- It is really big shit.
* Multi User support
* Migration, this means backup abillity.
* Key Store of TrouSers
I had same idea a long time ago but i didn't finished my project.
see -> www.tpmcrypt.org
I guess it makes more sense to implement this in cryptsetup as keyutils backend itself. It is also needed to modify the dm-crypt kernel interface and libdevmapper implementation.
Regards Zaolin
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] TPM support for LUKS partitions
2013-02-27 18:50 ` .. ink ..
2013-02-28 3:25 ` Zaolin
@ 2013-02-28 3:30 ` Zaolin
2013-02-28 16:43 ` Kent Yoder
1 sibling, 1 reply; 8+ messages in thread
From: Zaolin @ 2013-02-28 3:30 UTC (permalink / raw)
To: .. ink ..; +Cc: dm-crypt, Nicolae Paladi
Hi,
TPM support is hard.... I am working at the company which created the trusted grub, tpmmananger and tpm infineon kernel driver.
All of you guys want to use the TPM software stack named TrouSers. This idea is really bad beacause it is an incomplete and broken tss.
The idea of TPM support in cryptsetup is great but i wanted to use the keyctl kernelspace key management in order to be free from TrouSers and initrd depencies.
There are also some known problems with Trusted Boot Systems:
* Consistent resealing after changes with PCR pre calculation. <-- It is really big shit.
* Multi User support
* Migration, this means backup abillity.
* Key Store of TrouSers
I had same idea a long time ago but i didn't finished my project.
see -> www.tpmcrypt.org
I guess it makes more sense to implement this in cryptsetup as keyutils backend itself. It is also needed to modify the dm-crypt kernel interface and libdevmapper implementation.
Regards Zaolin
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] TPM support for LUKS partitions
2013-02-28 3:30 ` Zaolin
@ 2013-02-28 16:43 ` Kent Yoder
0 siblings, 0 replies; 8+ messages in thread
From: Kent Yoder @ 2013-02-28 16:43 UTC (permalink / raw)
To: Zaolin; +Cc: dm-crypt, Nicolae Paladi, .. ink ..
On Wed, Feb 27, 2013 at 9:30 PM, Zaolin <zaolin@das-labor.org> wrote:
> Hi,
>
> TPM support is hard.... I am working at the company which created the trusted grub, tpmmananger and tpm infineon kernel driver.
> All of you guys want to use the TPM software stack named TrouSers. This idea is really bad beacause it is an incomplete and broken tss.
Not sure what trousers has to do with this, but how is it broken or
incomplete? We don't support the more obscure stuff like DAA, but
that shouldn't affect a disk encryption solution.
> There are also some known problems with Trusted Boot Systems:
>
> * Consistent resealing after changes with PCR pre calculation. <-- It is really big shit.
Unfortunately reconstructing the event log is an app-specific thing
right now, since there's no way I know of to append to the ACPI event
log. tpm-luks supports trustedgrub out of the box but also allows you
to support any other trust chain you'd like.
> * Multi User support
> * Migration, this means backup abillity.
> * Key Store of TrouSers
Using nvram instead of a tpm key should help work around these issues.
Kent
>
> Regards Zaolin
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] TPM support for LUKS partitions
2013-02-28 3:25 ` Zaolin
@ 2013-03-01 9:02 ` octane indice
0 siblings, 0 replies; 8+ messages in thread
From: octane indice @ 2013-03-01 9:02 UTC (permalink / raw)
To: Zaolin; +Cc: dm-crypt, Nicolae Paladi, .. ink ..
En réponse à Zaolin <zaolin@das-labor.org> :
> TPM support is hard.... I am working at the company
> which created the trusted grub, tpmmananger and
> tpm infineon kernel driver. All of you guys want to
> use the TPM software stack named TrouSers.
> This idea is really bad beacause it is an incomplete
> and broken tss.
>
I use a /boot partition which contains a kernel,
an initrd and a sealed blob. TrustedGrub is used
to boot the system.
I use a custom initrd which will open the sealed blob
only if PCRs are OK. Then the content of this blob is
piped to cryptsetup. If everything is OK, the
ciphered partition is open.
> The idea of TPM support in cryptsetup is great but i
> wanted to use the keyctl kernelspace key management
> in order to be free from TrouSers and initrd depencies.
>
> There are also some known problems with Trusted
> Boot Systems:
>
> * Consistent resealing after changes with PCR pre
> calculation. <-- It is really big shit.
Can you explain more on that? Do you have any links?
> * Multi User support
I don't see where it could be interesting on
the boot ?
> * Migration, this means backup abillity.
> * Key Store of TrouSers
>
> I had same idea a long time ago but i didn't finished my
> project.
>
> see -> www.tpmcrypt.org
>
> I guess it makes more sense to implement this in
> cryptsetup as keyutils backend itself. It is also
> needed to modify the dm-crypt kernel interface and
> libdevmapper implementation.
>
>
> Regards Zaolin
>
Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [dm-crypt] TPM support for LUKS partitions
@ 2012-11-28 1:45 Kent Yoder
0 siblings, 0 replies; 8+ messages in thread
From: Kent Yoder @ 2012-11-28 1:45 UTC (permalink / raw)
To: dm-crypt, trousers-users
Hi,
I've put together some scripts and utilities [1] to allow storing a
LUKS secret in TPM NVRAM. This is different than securing your secret
by encrypting it with a TPM key in that there's no separate key blob
to manage. The key data is written directly into TPM NVRAM, r/w
protected by your password (and optionally TPM PCR state). Note that
there's a limit to the space you'll have in NVRAM depending on your
TPM's vendor.
You can use the tpm-luks package to:
- create a new secret, insert it into the TPM and add it to a LUKS key slot
- open a LUKS device using a TPM secret for auth
- kill a LUKS key slot using a TPM secret for auth
- unlock your rootfs at boot using a TPM secret for auth (tested on
RHEL6 and Fedora 17)
- bind the secret to a trusted grub-based root of trust
- migrate the secret from one root of trust to a new one (tested on RHEL6)
- support for a custom root of trust including migration
Please give it a try, I'm interested in general user feedback, bug
reports, code reviews, design reviews, flames, etc.
Also if you're a developer and willing to contribute, I'm particularly
interested in code to support non-redhat distros' initramfs formats
and migrate secrets to new roots of trust.
Thanks,
Kent
[1] git://github.com/shpedoikal/tpm-luks.git
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-03-01 9:09 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-27 13:26 [dm-crypt] TPM support for LUKS partitions Nicolae Paladi
2013-02-27 17:47 ` Kent Yoder
2013-02-27 18:50 ` .. ink ..
2013-02-28 3:25 ` Zaolin
2013-03-01 9:02 ` octane indice
2013-02-28 3:30 ` Zaolin
2013-02-28 16:43 ` Kent Yoder
-- strict thread matches above, loose matches on Subject: below --
2012-11-28 1:45 Kent Yoder
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.