Closed travier closed 1 month ago
While I can see the value in this use case, I'm unsure of how common it would be for most users. If we were to include this, I think I would also like to see some robust docs that explain how to do the TPM2 binding on Silverblue, perhaps some troubleshooting steps as well. (Pardon my ignorance if the docs for Silverblue would be identical for Workstation in this case)
The instructions would be mostly the same, but will get much simpler once we have UKIs.
Right now the main issue is that if you want something meaningful in terms of security, you need to rebind after each update before the reboot. Thus this needs a script that does it during ostree-finalize step.
The end goal would be to have a box to tick in Anaconda that says "Automatically encrypt the disk (via TPM)" and have the user still enter a passphrase as backup or generate a long secret to store somewhere as backup.
While I really like the steps forward to FDE with TPM2, i don't really get the advantage of using clevis
in comparison to simply using systemd-cryptenroll
that is already shipped in Silverblue. In particular, what i currently do is simply using the part Automatically decrypt additional partitions in your article without using clevis. (Maybe this should also be covered in this article?)
The only thing that I need to add was: Initramfs: --force-add tpm2-tss
If systemd-cryptenroll also works for the root partition then this could also be an option indeed.
We should investigate https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/ for Silverblue
Thanks for the report. This issue is now tracked in https://gitlab.com/fedora/ostree/sig/-/issues/33 thus I'll close this one.
It's not in Workstation yet apparently. Will have to file that there.
Make is easier to enable TPM2 binding for disk encryption via clevis. See: https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
No, it's for the root disk
No
No
rpm-ostree install <package>
? Explain why or why not.Yes, but it would be better to have it by default to avoid modifying/rebuilding the initrd.