Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Mo, 27.05.24 22:42, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote:

> > if you want to use literal PCR policies like clevis does it, systemd
> > can do that for you just fine?
>
> clevis combines multiple methods and combinations. Like pin, PCRs (not
> signing), tang servers, but can be combined in different ways.

systemd-cryptenroll supports pin, literal PCR, signed PCR — in any
combination. (plus pcrlock, but that's currently cannot be combined
with signed PCR, because afaics not expressible in the TPM policy language).

> > > P.S. also would be great if systemd also supported tang so that both -
> > > signed PCRs and tang to be required for automatic unlock.
> >
> > I am not convinced networked unlock with ssss really is something
> > relevant for anyone but a select few folks who run major data centers
> > and are willing to pay the price for doing the work. It's also just a
> > bunch of shell scripts last time I looked, or did that change? If so,
> > doubly uninterested.
>
> Actually my use case is to keep a remote private server where I was
> concerned about somebody taking the hardware away. So the network
> policy based encryption pretty much covered my main concerns. + TPM to
> make local data access more difficult but I don't really see this as a
> likely threat. And you can build the tang server with a raspberry or
> install it on an openrwt router. So definitely something close to
> trivial for anybody building a home server.
>
> I didn't go in depth into how tang and clevis worked. `tang` (the
> server https://github.com/latchset/tang) seems to be using a lot of c
> but also a lot of shell. If it is good for big datacenters, then it
> should be fine for me also.

The relevant pieces are all glued-together shell scripts:

https://github.com/latchset/clevis/blob/master/src/pins/tpm2/clevis-decrypt-tpm2

Lennart

--
Lennart Poettering, Berlin