On Wed, Jul 08, 2020 at 11:58:58AM +0300, Marius Vollmer wrote: > Hi, > > we have some rudimentary support for Clevis in the Cockpit Web Console, > and now the question is, should we add support for "tpm2" to that? What does 'support for clevis' there look like? you mean just binding a encrypted drive to look for clevis servers on boot? > > As I understand it, there is a lot of evolving OS specific subtlety > involved, so I am asking specifically how this would look on current > Fedora and what to expect in the near future. > > Here is the discussion that prompted my question: > > https://github.com/cockpit-project/cockpit/issues/14313[1] > > In most concrete terms: Which PCRs should we use on which version of > Fedora? ("None" is a totally nice answer.) > > I don't think we can let the user enter the PCR numbers, that requires > way to much intimate knowledge of the current state of support for > secure boot of their OS. I.e., the best way I have to answer that for > myself is to ask here. > > The user needs to be shielded from that knowledge, I'd say, and ideally > clevis would already shield me from it, but I am happy to do it in > Cockpit. I think tpm2 might be good, but.... lots of machines don't have tpm2. So I would think it would need to be optional? kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
