On Thu, Dec 6, 2018 at 3:13 AM Javier Martinez Canillas <javierm@xxxxxxxxxx> wrote: > > On 05-12-18 23:58, Chris Murphy wrote: > >> b. Windows laptops have TPM 2.0 which I can't get to work on Linux > >> (works fine on Windows 10). > >> https://bugzilla.kernel.org/show_bug.cgi?id=185631 > This seems to be a driver issue. Bugzilla usually is not the best channel to > report kernel issues but instead the subsystem mailing list. For TPM this is > linux-integrity@xxxxxxxxxxxxxxx. Could you please post your issue there? Yes. > > >> c. Can a TMP be reliably shared by both Windows and Fedora in a dual > >> boot configuration? > > > > Javier, Peter, can you answer this please ? > > > > This is a two part question I think. First is the measurements and since the > BitLocker seals against a PCR state when booting with the Windows bootloader > this means that we can't chain-load Windows from grub2 since the measurements > would be different and prevent BitLocker to unlock the encrypted disk. > > So for this case Windows has to be booted using the EFI firmware and having a > separate boot entry. This is my understanding at least, I don't have a Windows > installation to test. > > The second part is the key management. Clevis currently expects that the key > hierarchies are not password protected. This is because asking the user for a > password would defeat the purpose of automatically unlocking the LUKS volume. Why bother encrypting anything if it's going to be automatically unlocked just by booting? If the login window is a sufficient barrier to exfiltrating and modifying user files on an unlocked volume, then it's a sufficient barrier for an unencrypted volume because it is in effect a plaintext volume, automatically without a passphrase, merely when powered on. > Also fscrypt is only supported by ext4, right? It would be better fo find a > solution that wouldn't impose a specific filesystem to the user. fscrypt is today supported by ext4, f2fs, and UBIFS. There are plans to support XFS and Btrfs but I have no idea what their time frames are, reflinks and snapshots add complications. -- Chris Murphy _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx
