En réponse à Zaolin <zaolin@xxxxxxxxxxxxx> : > TPM support is hard.... I am working at the company > which created the trusted grub, tpmmananger and > tpm infineon kernel driver. All of you guys want to > use the TPM software stack named TrouSers. > This idea is really bad beacause it is an incomplete > and broken tss. > I use a /boot partition which contains a kernel, an initrd and a sealed blob. TrustedGrub is used to boot the system. I use a custom initrd which will open the sealed blob only if PCRs are OK. Then the content of this blob is piped to cryptsetup. If everything is OK, the ciphered partition is open. > The idea of TPM support in cryptsetup is great but i > wanted to use the keyctl kernelspace key management > in order to be free from TrouSers and initrd depencies. > > There are also some known problems with Trusted > Boot Systems: > > * Consistent resealing after changes with PCR pre > calculation. <-- It is really big shit. Can you explain more on that? Do you have any links? > * Multi User support I don't see where it could be interesting on the boot ? > * Migration, this means backup abillity. > * Key Store of TrouSers > > I had same idea a long time ago but i didn't finished my > project. > > see -> www.tpmcrypt.org > > I guess it makes more sense to implement this in > cryptsetup as keyutils backend itself. It is also > needed to modify the dm-crypt kernel interface and > libdevmapper implementation. > > > Regards Zaolin > Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
