Date: Tue, 16 Jan 2024 13:50:31 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260138] TPM2 Support in bootloader / kernel in order to retrieve GELI passphrase Message-ID: <bug-260138-227-pDRmOqxljM@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-260138-227@https.bugs.freebsd.org/bugzilla/> References: <bug-260138-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260138 --- Comment #4 from Vincent Bentley <vince@vincentbentley.co.uk> --- (In reply to s.adaszewski from comment #3) I am very grateful for the work that you have done on this and for uploading the code to github. I stopped building custom kernels a couple of years ago but, I will start again to test this code. I have a use for this code today= . I was hoping to find a 'HowTo' and was suprised that after two years, this st= ill isn't in RELEASE.=20 I work in an organisation that is predominantly staffed by volunteers. Many= of us have contributed good ideas for improvements but ideas often get shelved usually because of insufficient practical support from the rest of the organisation. This is usually because others don't understand the idea well enough, or don't see why they should put in the extra work to see it comple= ted. They simply don't appreciate the benefit. In FreeBSD terms, I think this co= uld mean that for this code to get pulled into a release, the following is like= ly to be needed, and those people willing and able to do the work required to achieve it. The FreeBSD installer will need to be modified to: - Test for the presence of a suitable TPM chip or fTPM - To offer the option of using the TPM and initialising it with required ke= ys - To offer the option of using the TPM for full disk encryption The FreeBSD handbook will need additional content for: - Describing the benefits of using a TPM with some example use cases - How to retro-install an existing TPM equipped machine for new encrypted filesystems - Document the supporting packages that are required Eg. tpm2-tools and exa= mple use cases - Document the changes to /boot/loader.conf , /etc/rc.conf The bigger picture is doing the same for: - Using the TPM's RNG - Configuring VPNs to use TPM - Configuring SSH to use TPM=20 - Using the TPM with finger print readers and smartcards for authentication - Using a TPM in a certificate authority Useful links to help appreciate the inadequate documentation in the FreeBSD Handbook concerning using a TPM with FreeBSD: https://reviews.freebsd.org/D19620?id=3D https://github.com/tpm2-software/tpm2-pkcs11 https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/ https://www.evolware.org/2020/05/20/notes-on-using-a-tpm2-module-on-linux/ https://www.hardill.me.uk/wordpress/2021/02/07/adding-a-tpm-to-my-offline-c= ertificate-authority/ I will try to do some of this work if I can get it running. -Vince- --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260138-227-pDRmOqxljM>