Date: Wed, 15 Dec 2021 11:37:52 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260138] TPM2 Support in bootloader / kernel in order to retrieve GELI passphrase Message-ID: <bug-260138-227-rGDYlAcVCI@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-260138-227@https.bugs.freebsd.org/bugzilla/> References: <bug-260138-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260138 --- Comment #1 from s.adaszewski@gmail.com --- Added hard-coded PCR Extend on PCR8 to secure the case when the passphrase = is stored in the TPM but not retrieved. Bootloader permits the boot of an arbitrary environment if the passphrase is not retrieved (i.e. no /.passphrase_marker check), therefore it needs to be ensured that the policy protecting the passphrase NVIndex includes PCR8 and therefore denies future access in such a case. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260138-227-rGDYlAcVCI>