Moin, Am Montag, 29. November 2021, 23:07:56 CET schrieb ub22@gmx.net:
Hallo,
Am Sonntag, 28. November 2021, 13:05:25 CET schrieb Fabian Vogt:
It should also be noted that the /boot contents are not verified during boot (just the kernel through secure boot, if enabled), so it doesn't really provide any protection against physical access.
But this is not acceptable at all.
Question, is there any easy possibility to check if the TPM2 is properly detected at Linux? I searched on it, but no finding till now.
cat /sys/class/tpm/tpm0/tpm_version_major should print "2".
OK, is correct (sowing 2). But this don't help due to the security restriction :-(
It's being worked on. https://www.youtube.com/watch?v=C58WLY7FvYk explains some potential approaches. Until seamless update handling is implemented, you can handle it manually by also sealing against PCRs 8 and 9, i.e. passing --tpm2-pcrs=7+8+9 (or even 0+1+2+4+5+7+8+9) to systemd-cryptenroll. That way the TPM will only unseal the secret if grub/kernel/initrd etc. match exactly. On updates, you'll have to enter the passphrase manually and run systemd-cryptenroll again. The other files in /boot (e.g. sysctl.conf) could still be modified without noticing, which can be avoided by placing necessary files on the EFI partition and leaving /boot encrypted. Cheers, Fabian
But it will be greate, if the automatic on the installation, will implement it automaticly (an also translate the keyboard key issues like z <-> y).
The only missing feature, is now the possiblity to use an available security solution (TPM 2.0, included chip-card reader, Nitrokey 3A/3C NFC or similar else).
Many Thanks :-) Ulf
PS: Written from Fujitsu LifeBook U939X and openSUSE Tumbleweed https://lug-vs.org/lugvswiki/index.php?title=Hardware-Steckbriefe#Fujitsu_Li.... 28von_Ulf.29