Possibility of using TPM to emulate T2?

[albertofustinoni]

I see a lot of though is paid to security in OpenCore, up to and including ways to have a full chain of trust from firmware to OS via UEFI Secure Boot signing/Vaulting/Apple Secure boot.

Given that and OpenCore's position in the boot chain, I am wondering if it would be possible for it to take advantage of the TPM present in modern PCs to provide things like:

• TPM backed storage of secrets, to provide things like full disk encryption when user has not set up FileVault and WebAuthN platform authenticator. It would allow OpenCore systems to have functionality and security equivalent to T2 equipped macs, since the T2 and TPM provide equivalent functionality
• Avoiding the need for users to manually vault their configuration, by using TPM PCRs like Windows does for BitLocker: the emulated T2's master key (which is used to derive all other keys, including - crucially - the one used to encrypt macOS's system volume) could be sealed in the real TPM using the PCRs and measurements like BIOS and the same hashes used to compute the vault right now. Making unauthorized changes to any of those would result in a different emulated T2 master key and impossibility to derive the original secrets.

Has this been considered before?

[vit9696]

In general I am not against this, but the architecture is quite different for TPM and T2. For example:

• T2 Macs have T2 SSD transparently exposed to the system without any serious interfacing at scale.
• TPM encrypted storage is very small.
• Using PCRs to hash config.plist will not make much of a difference compared to manual revaulting from the user's PoV.

I would say it has loosely been considered, but the effort needed and the gained benefit are rather slim, so here we would rather let other parties to contribute something we can adopt.

[rbelusko]

I am wondering this myself, but for a slightly different reason: I am hearing that the new 'iPhone Mirroring' feature uses T2 authentication. So I don't think this would ever work on a Hackintosh, unless T2 is bypassed.

Without 'iPhone Mirroring', I don't see a need to continue Hackintoshing.