On Mi, 08.12.21 13:28, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote: > On Wed, Dec 8, 2021 at 7:52 AM Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > > > > On Di, 07.12.21 15:39, Zbigniew Jędrzejewski-Szmek (zbyszek@xxxxxxxxx) wrote: > > > > > Latest systemd versions have been getting some support for the low-level > > > parts, i.e. the low-level encrypted-secret storage. But we're missing the > > > upper parts, i.e. how to actually use and update the passwords. I didn't > > > even mention this, because we don't have a comprehensive story yet. > > > I think it'd be necessary to write some pam module and/or authentication > > > helper from scratch. It's probably not too much work, but nobody has > > > signed up to do this. > > > > So here's what I'd suggest: let's define a group (my suggestion: let's > > repurpose "wheel" for that) that has the effect that the passwords of > > any user in it are also accepted as password for the root user, > > implicitly. We'd have to add some small infra to collect these > > passwords, and encrypt/sign them with TPM2, then propagate to the ESP > > or to some EFI var or so, so that they can be honoured already in the > > initrd. > > I'm skeptical of any TPM2 dependency because systems still do not come > with them, in particular the significant minority of systems that are > not part of the "made for Windows" marketing program that compels > manufacturers to follow the Windows Hardware Compatibility Program. Well, I am pretty sure we should design our stuff with modern hw in mind, i.e. design from the current state of the art of hardware, and find graceful fallbacks for environments that are more limited. Yes, I am fully aware that there are older and simpler devices that lack it, but I don't think this should mean "don't use TPM2 by default", but instead "let's use TPM2 whenever we can, but gracefully degrade if we can't". Or more specifically in this context: if we don't have a TPM2 chip, we can't encrypt or authenticate the root passwords before allowing them in the initrd. Which then means we won't do that in that case, so things will still work, but of course you'll get much weaker security guarantees. > And yes you can install Windows 11 without a TPM, it just won't be > preinstalled, and that make/model doesn't qualify for whatever Windows > marketing programs OEM's get for having certified hardware. That's > aside from the fact there's TPM 2.0 in hardware today that the kernel > doesn't support and likely won't ever support. Still, don't make this an exercise of racing to the bottom. Let's focus on the future, be secure by default there, and provide acceptable fallbacks for the past. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
