From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <shpedoikal@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id XcUzy9br02Xb for <dm-crypt@saout.de>;
 Thu, 28 Feb 2013 17:43:32 +0100 (CET)
Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com
 [209.85.217.170])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Thu, 28 Feb 2013 17:43:32 +0100 (CET)
Received: by mail-lb0-f170.google.com with SMTP id ge1so1549459lbb.1
 for <dm-crypt@saout.de>; Thu, 28 Feb 2013 08:43:31 -0800 (PST)
MIME-Version: 1.0
In-Reply-To: <20130228043005.48acb612@Haruhi.lan>
References: <CAK0-rpa2K=3daaEACvzharmmGc26H0v5i8Efx0=r1eRG1yFXJA@mail.gmail.com>
 <CAFnMBaT56wqy55UYXLLeLc=9mC5dMXN4DhLpShDdHqaibs0DGQ@mail.gmail.com>
 <20130228043005.48acb612@Haruhi.lan>
From: Kent Yoder <shpedoikal@gmail.com>
Date: Thu, 28 Feb 2013 10:43:01 -0600
Message-ID: <CAM0nabEumZU6pYkDj1mObUvzLoEyXOaj7iPTTAK_DNSjWhinDQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [dm-crypt] TPM support for LUKS partitions
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Zaolin <zaolin@das-labor.org>
Cc: dm-crypt@saout.de, Nicolae Paladi <n.paladi@gmail.com>, ".. ink .." <mhogomchungu@gmail.com>

On Wed, Feb 27, 2013 at 9:30 PM, Zaolin <zaolin@das-labor.org> wrote:
> Hi,
>
> TPM support is hard.... I am working at the company which created the trusted grub, tpmmananger and tpm infineon kernel driver.
> All of you guys want to use the TPM  software stack named TrouSers. This idea is really bad beacause it is an incomplete and broken tss.

  Not sure what trousers has to do with this, but how is it broken or
incomplete?  We don't support the more obscure stuff like DAA, but
that shouldn't affect a disk encryption solution.

> There are also some known problems with Trusted Boot Systems:
>
> * Consistent resealing after changes with PCR pre calculation. <-- It is really big shit.

  Unfortunately reconstructing the event log is an app-specific thing
right now, since there's no way I know of to append to the ACPI event
log.  tpm-luks supports trustedgrub out of the box but also allows you
to support any other trust chain you'd like.

> * Multi User support
> * Migration, this means backup abillity.
> * Key Store of TrouSers

  Using nvram instead of a tpm key should help work around these issues.

Kent

>
> Regards Zaolin
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt