Re: dm-integrity volume with TPM key?

[Sebastian Wiesner <sebastian@xxxxxxxx>]

Am Montag, dem 04.10.2021 um 14:49 +0200 schrieb Lennart Poettering:
> On Do, 30.09.21 21:20, Sebastian Wiesner (sebastian@xxxxxxxx) wrote:
> 
> > Hello,
> > 
> > thanks for quick reply, I guess this explains the lack of
> > instructions
> 
> btw, coincidentally this was posted on github on the day you posted
> this:
> 
> https://github.com/systemd/systemd/pull/20902
> 
> so hopefully we'll have te missing tools in place soon too.

Great, so it looks as if everything's in place with systemd 250
perhaps?

> > As a workaround you'd use a regular file key for dm-integrity and
> > put
> > that on a TPM-protected partition, if I understand you correctly?
> 
> yes.
> 
> > I.e. you'd
> > 
> > 1. enable secureboot (custom keys or shim),
> > 2. bundle kernel & initrd into signed UEFI image for systemd-boot,
> > 3. make / a LUKS-encrypted parition with systemd-cryptenroll, bound
> > to
> > the TPM (perhaps PCR 0 and 7) aund unlocked automatically at boot,
> 
> only pcr 7, for the reasons explained in the blog story.

Alright :)

> > 4. make /home a dm-integrity partition, with a regular keyfile from
> > e.g. /etc/integrity.key (which is on the encrypted partition), and
> 
> actually, after thinking a bit more about this I figure the ultimate
> path for this would be /etc/integritysetup-keys.d/home.key – because
> we already implemented in systemd-cryptsetup a scheme where we search
> for the encryption key for volume xyz in
> /etc/cryptsetup-keys.d/xyz.key, and we should probably do it similar
> for verity keys, too.
> 
> > 5. use homed for LUKS-encrypted home areas on /home?
> > 
> > Does this sound reasonable?  
> 
> Yes!

Thanks :)  Looking forward to try this.

Cheers,
Basti