Linux & TPMs
HTML-код
- Опубликовано: 12 сен 2023
- media.ccc.de/v/all-systems-go...
Let's get you up to speed on Trusted Platform Modules (TPM 2.0) and Linux. Specifically, the various additions to basic Linux userspace, i.e. systemd in our goal to make measured boot a default on Linux.
Lennart Poettering
cfp.all-systems-go.io/all-sys...
#asg2023 Наука
I kinda still find it hard to grasp the soup of TPM, SED, FDE & Bitlocker for Windows, i.e how do I do SED (Samsung 990 Pro) with hardware encryption (no loss of speed) and that of Bitlocker (enable/disable); my dream is to have hardware FDE (using SED feature&) on Linux; currently I have Elitebook with TPM 2.0 and OPAL option (which I didn't enable) in BIOS and I have just simply enabled DriveLock feature. Man its a mess/complicated!!!
Where do I store the key is a recurring question in security talks 🙂
What happens if my laptop motherboard dies, and I want to move my harddrive to a new computer? What happens if I want to use a bootable Fedora USB key to debug something on the main system? How do I unlock the disk?
You can just take the disk encryption key and store it separately in a safe place and just use that to unlock the LUKS partition. When using a Live USB you can just use that to unlock the disk and do whatever. When moving a disk to a new motherboard and a new TPM then (presumably) the initramfs would ask you for the disk encryption key and once the disk is unlocked it would have to re-enroll the key to the new TPM. This is basically what Windows Bitlocker does with it's "recovery key" which (as far as I can tell) is just the disk encryption key that is also in the TPM.
@@SmackMyKeyboard You close to correct, however the passphrase and the key in the TPM are separate, you can actually add as many passphrases as you want
And I have moved an Arch LUKS TPM-unlocked partition to another system and all I had to do was enter the the passphrase I setup
Honest question:
Why should we trust our TPM's to store a secret? What proves the chip maker, U.S. government, or whoever else doesn't have a backdoor API or method to get them to give up our private key?
He answers this very question in the beginning of the talk I believe.
If you don't trust the TPM you can just not enroll a key into the tpm