Hi, Am Dienstag, 21. Dezember 2021, 13:04:51 CET schrieb Martin Wilck:
On Thu, 2021-11-25 at 17:33 +0100, Benjamin Brunner wrote:
For all interested and curious who would like to have a look or want to directly test it, Antonio Feijoo <antonio.feijoo@suse.com> prepared some step by step guides at https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2.
The documentation should work on Tumbleweed and later on openSUSE Leap 15.4.
We would really appreciate any feedback, thoughts, or reports in case you encounter any issues.
I'm missing something essential in the TPM2 scenario. It offers (some) protection against tampering. But how does it protect the contents of the storage from being read by 3rd parties? What if someone simply steals the computer and boots it from a USB stick or a DVD? As long as the PCR values are unchanged and she has root rights on the booted devices, the person should be able to read the entire disk. What am I overlooking here?
You're not missing anything. I raised that in the thread already, and the wiki article should probably make that also more clear. https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/... https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/... Using just PCR7 does not provide any of the security properties that are usually expected. It only protects against someone having access to data on disks. Cheers, Fabian