From nobody Tue Jan 16 13:50:31 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TDr4S3mKHz57F9D for ; Tue, 16 Jan 2024 13:50:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TDr4S2kBlz49L7 for ; Tue, 16 Jan 2024 13:50:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705413032; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L1HiI/nPC/eOg4tgtht+pDaloSZG82GHXBYdUC8KPYQ=; b=eFhZFi8sUoWYoGhzxqREVGxadmRtZL2PDS2frugMxlmnZT9xCxxkn91ZqgLRf4e40pJN6C IkPcxA8Sz4ww/xecy6Ziy9p/+AiybboTB9MQcqIxStj5hJ3iAzCxaXOkWl0fc+RImS+Txj mYotTlhe2fyQowh/8LF/j53V8V/+frvG8KYWvvMuFSzujpNcfYIORPZlp3sRQ6/1mpRwkD DaDKuuv3kMC16ESyh5l2is1jTZlbP1JhJLgE7FO3rvbJzpoWtmJpWcmphMmBjBtowHvdSt wrX97HHDTiFPB2pdcSuLLzA+KOZWijIJkzn/YcKOaBWnN0e5m8QwlRCHEnPXXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705413032; a=rsa-sha256; cv=none; b=xl8Gx0l5GCa3m0uA1EUBEgmrvBAyWUFKk9RW/WNIVCuXBTMgH9dmwkUysI7xTCg2ulQahG 2m09jDrskElN6TSwtvDbo+lFDvWUGXyt0vv6I4zpZTUfGumC9QEKsI7DSmkydoYMHQZI3U MvhaqgZoJqqkP6XQuQ7MB5k5GeHcm0FbsYEKysJSgdciGiewGEoqR/j03X+F2lgOQXTCCp URjIhNBICBoAyPZzuwX4rXVR2cgNZYTNTvQg9ABbG1B+wNThN1pkCVtsBz6q2MTQqEpp3e L6zYBYX3x32QzVx6DT9gXonZ016yamFBkmdHty6uiWI5G8FOnsYnVczNmCVRfQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TDr4S1nDPzjd6 for ; Tue, 16 Jan 2024 13:50:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 40GDoWOo047344 for ; Tue, 16 Jan 2024 13:50:32 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 40GDoWvT047343 for bugs@FreeBSD.org; Tue, 16 Jan 2024 13:50:32 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260138] TPM2 Support in bootloader / kernel in order to retrieve GELI passphrase Date: Tue, 16 Jan 2024 13:50:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: feature, loader, security, uefi X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: vince@vincentbentley.co.uk X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260138 --- Comment #4 from Vincent Bentley --- (In reply to s.adaszewski from comment #3) I am very grateful for the work that you have done on this and for uploading the code to github. I stopped building custom kernels a couple of years ago but, I will start again to test this code. I have a use for this code today= . I was hoping to find a 'HowTo' and was suprised that after two years, this st= ill isn't in RELEASE.=20 I work in an organisation that is predominantly staffed by volunteers. Many= of us have contributed good ideas for improvements but ideas often get shelved usually because of insufficient practical support from the rest of the organisation. This is usually because others don't understand the idea well enough, or don't see why they should put in the extra work to see it comple= ted. They simply don't appreciate the benefit. In FreeBSD terms, I think this co= uld mean that for this code to get pulled into a release, the following is like= ly to be needed, and those people willing and able to do the work required to achieve it. The FreeBSD installer will need to be modified to: - Test for the presence of a suitable TPM chip or fTPM - To offer the option of using the TPM and initialising it with required ke= ys - To offer the option of using the TPM for full disk encryption The FreeBSD handbook will need additional content for: - Describing the benefits of using a TPM with some example use cases - How to retro-install an existing TPM equipped machine for new encrypted filesystems - Document the supporting packages that are required Eg. tpm2-tools and exa= mple use cases - Document the changes to /boot/loader.conf , /etc/rc.conf The bigger picture is doing the same for: - Using the TPM's RNG - Configuring VPNs to use TPM - Configuring SSH to use TPM=20 - Using the TPM with finger print readers and smartcards for authentication - Using a TPM in a certificate authority Useful links to help appreciate the inadequate documentation in the FreeBSD Handbook concerning using a TPM with FreeBSD: https://reviews.freebsd.org/D19620?id=3D https://github.com/tpm2-software/tpm2-pkcs11 https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/ https://www.evolware.org/2020/05/20/notes-on-using-a-tpm2-module-on-linux/ https://www.hardill.me.uk/wordpress/2021/02/07/adding-a-tpm-to-my-offline-c= ertificate-authority/ I will try to do some of this work if I can get it running. -Vince- --=20 You are receiving this mail because: You are the assignee for the bug.=