ajkerzner
commented
2 years ago Is there any chance of getting this in clevis?
Open wiktor-k opened 4 years ago
ajkerzner
commented
2 years ago Is there any chance of getting this in clevis?
ignisf
commented
2 years ago Hello, I've also been tracking this feature request for a while. Just wanted to point out that since this issue was created, tpm2-totp came to be, and it addresses a major drawback of simple PIN protection -- it allows attestation of the system before inputting the PIN and thus releasing the disk encryption key (e.g. to be logged by a counterfeit initrd).
All I'm saying is that maybe it's too late to spend effort on implementing this and we should move on to better and more secure solutions.
madsl
commented
2 weeks ago What's the status of this?
I'd really like it if it was possible for Fedora to support unlocking during boot with a TPM2-bound PIN. Does not look that good if this bug has been here untouched since 2019, so it would be interesting to know if there's any plan for anything...
sarroutbi
commented
2 weeks ago Hello. Unfortunately, at this moment we don't have this in our pipeline. However, we welcome PRs in case somebody is interested on it.
Hello,
I just found clevis while researching alternatives to LUKS unlocker that utilizes TPM.
One thing that I noticed is that clevis does not support TPM PIN as in BitLocker (note that "PIN" here means short number that is needed to unlock TPM key with addition to PCRs. That PIN protects against brute-force attacks).
luks-tpm2 uses TPM parent key password for this.
Why is it imporant? To protect against unauthorized extracting of TPM keys.