search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
24 stars 0 forks source link

Test new TPM related systemd features #249

Open TomaszAIR opened 1 year ago

TomaszAIR commented 1 year ago

The problem you're addressing (if any)

In systemd 252 release there are some new, TPM related features that might be worth checking. Those are

[1] https://lists.freedesktop.org/archives/systemd-devel/2022-October/048519.html

Describe the solution you'd like

Research what those features can give us, and test in with DTS on some Dasharo supported platforms.

Where is the value to a user, and who might that user be?

Describe alternatives you've considered

Additional context

pietrushnic commented 1 year ago

In the past we had idea of integrating safeboot, but safeboot packages are little bit outdated and there are other problems with those.

Despite we are not huge fans of systemd it is widely used and we should consider supporting those features. If major distros will use above features by default we should make sure that Dasharo comply to those.

More to that this feature set may open doors to DRTM integration, since we can seal to DRTM PCRs.

mkopec commented 1 year ago

systemd-cryptenroll actually has been present in a number of releases now, I've been using it on Arch with LUKS bound to PCRs 0 and 2 and it works quite well. Sealing to DRTM PCRs is already possible:

--tpm2-pcrs= [PCR...]
           Configures the TPM2 PCRs (Platform Configuration Registers) to bind the enrollment requested via
           --tpm2-device= to. Takes a "+" separated list of numeric PCR indexes in the range 0...23. If not used,
           defaults to PCR 7 only. If an empty string is specified, binds the enrollment to no PCRs at all. PCRs
           allow binding the enrollment to specific software versions and system state, so that the enrolled
           unlocking key is only accessible (may be "unsealed") if specific trusted software and/or configuration
           is used.

I guess the biggest problem is coreboot's PCR assignment, which is very different to the TCG-specified and commonly used assignments: https://ticket.coreboot.org/issues/420

krystian-hebel commented 1 year ago

I guess the biggest problem is coreboot's PCR assignment, which is very different to the TCG-specified and commonly used assignments: https://ticket.coreboot.org/issues/420

https://review.coreboot.org/c/coreboot/+/68750