On Do, 30.05.24 17:08, Demi Marie Obenour (demi@xxxxxxxxxxxxxxxxxxxxxx) wrote: > > Hmm, this is an interesting idea, I kinda like it. But I am not sure > > how far this will get us, because I think even for FDE we eventually > > want to store asymmetric keys, not symmetric ones (i.e. I think we > > should start supporting things like TPM2+FIDO or TPM2+PKCS11 or > > TPM2+ssh-agent where both devices operate in tandem, in a challenge > > response model, not sure how far you get with that if we can only > > protect symmetric keys) > > How would TPM2+FIDO work? chromeos is passing a nonce from the tpm to the fido device, which then signs it, which the tpm then can verify. Lennart -- Lennart Poettering, Berlin
Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Thu, 30 May 2024 23:26:52 +0200
- Cc: Andrei Borzenkov <arvidjaar@xxxxxxxxx>, Aleksandar Kostadinov <akostadi@xxxxxxxxxx>, Felix Rubio <felix@xxxxxxxxx>, systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <Zljq39qOS2E0yiFG@itl-email>
- References: <ZlSScuqYUpcjnYaH@gardel-login> <CAPws7kZ1J53HqSC5G_Q5AZishdVip5waS_jxJ9mpE9FGZwQ5dw@mail.gmail.com> <ZlXu7_34zizcnxTw@gardel-login> <6b2f1ba9-d2a3-438c-844c-1d32e20c7871@gmail.com> <ZlY2uMEmqecQmYXU@gardel-login> <CAA91j0VSog8XAc6xcC4P=btD2OVivrA-6zuJdhhWTx7PHuW9dw@mail.gmail.com> <ZldBlfLHp-knIrm5@gardel-login> <Zld4awLiGwYUhNf5@itl-email> <ZljlBOsD5MmxTD4N@gardel-login> <Zljq39qOS2E0yiFG@itl-email>
- References:
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Aleksandar Kostadinov
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Andrei Borzenkov
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Andrei Borzenkov
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Demi Marie Obenour
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Lennart Poettering
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- From: Demi Marie Obenour
- Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Prev by Date: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Next by Date: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Previous by thread: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Next by thread: Re: PCR signing / enrolling on UKI and validation by systemd-cryptenroll
- Index(es):
 |