Clevis TPM2 pin support

[scj643]

Storage

Implement adding TPM2 keys to a LUKS encrypted drive.

More info on TPM2 and Clevis can be found here

The UI would need to show PCR IDs to allow users to protect against tampering.

[mvollmer]

The UI would need to show PCR IDs to allow users to protect against tampering.

Can you elaborate on that? A mockup of the UI would be perfect.

[scj643]

I can't do a UI mockup but it would just be a set of checkboxes for a list of the PCR options. Thing is PCRs are pottentially platform specific and don't mean the same thing across TPMs. There should be a warning when using PCRs that you should keep your primary encryption key in a secure place as a backup.

[mvollmer]

Thing is PCRs are pottentially platform specific and don't mean the same thing across TPMs.

Ok, after reading https://mjg59.dreamwidth.org/48897.html I understand this now.

Whether or not to tie your disk encryption to a successful measured boot should probably be a choice left to the user. But how that is implemented should be of no concern to the user. For Linux this probably means using PCR 7 (and maybe 8?), but we should not burden the user with having to research that.

There should be a warning when using PCRs that you should keep your primary encryption key in a secure place as a backup.

Because measured boots are fragile and there is a high chance that the disk remains locked after a regular update? This is probably true when people can use arbitrary PCRs, but if, say, Fedora implements the PCR 7 scheme outlined by Matthew and we only offer that, is that still unreliable?

The warning in Cockpit would probably just say that you should have a alternative way to unlock the disk (via a passphrase or a tang server, etc) and not talking about "backing up a key", which is not something that Cockpit offers as a concept.

I would be happy with this:

• Cockpit offers tpm2 as a way to add a key, but only if there is support for it
• There is an explanation what that does. "The disk can be automatically unlocked when it is connected to the same machine" or something like that.
• If the OS implements a robust measured boot, there is a checkbox "[ ] Require successful secure boot" or something like that, default to "on". When checked, this uses OS specific PCRs.

This needs:

• A way to determine whether TPM2 is supported
• Configure time specification of a set of PCRs

How does that sound?

[mvollmer]

I have asked Fedora about which PCRs to use: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/6VYIKEH3C6VIIKNHQCPAVQZIJHKVSTG3/

[scj643]

Sounds good to me.

[mvollmer]

Sounds good to me.

Cool, I have added this into our backlog.

[scj643]

The Arch Wiki has a section describing the PCRs

https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Platform_configuration_registers