[Bug 260138] TPM2 Support in bootloader / kernel in order to retrieve GELI passphrase

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 260138] TPM2 Support in bootloader / kernel in order to retrieve GELI passphrase"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 16 Jan 2024 13:50:31 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260138

--- Comment #4 from Vincent Bentley <vince@vincentbentley.co.uk> ---
(In reply to s.adaszewski from comment #3)
I am very grateful for the work that you have done on this and for uploading
the code to github. I stopped building custom kernels a couple of years ago
but, I will start again to test this code. I have a use for this code today. I
was hoping to find a 'HowTo' and was suprised that after two years, this still
isn't in RELEASE. 

I work in an organisation that is predominantly staffed by volunteers. Many of
us have contributed good ideas for improvements but ideas often get shelved
usually because of insufficient practical support from the rest of the
organisation. This is usually because others don't understand the idea well
enough, or don't see why they should put in the extra work to see it completed.
They simply don't appreciate the benefit. In FreeBSD terms, I think this could
mean that for this code to get pulled into a release, the following is likely
to be needed, and those people willing and able to do the work required to
achieve it.

The FreeBSD installer will need to be modified to:
- Test for the presence of a suitable TPM chip or fTPM
- To offer the option of using the TPM and initialising it with required keys
- To offer the option of using the TPM for full disk encryption

The FreeBSD handbook will need additional content for:
- Describing the benefits of using a TPM with some example use cases
- How to retro-install an existing TPM equipped machine for new encrypted
filesystems
- Document the supporting packages that are required Eg. tpm2-tools and example
use cases
- Document the changes to /boot/loader.conf , /etc/rc.conf

The bigger picture is doing the same for:
- Using the TPM's RNG
- Configuring VPNs to use TPM
- Configuring SSH to use TPM 
- Using the TPM with finger print readers and smartcards for authentication
- Using a TPM in a certificate authority

Useful links to help appreciate the inadequate documentation in the FreeBSD
Handbook concerning using a TPM with FreeBSD:
https://reviews.freebsd.org/D19620?id=
https://github.com/tpm2-software/tpm2-pkcs11
https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/
https://www.evolware.org/2020/05/20/notes-on-using-a-tpm2-module-on-linux/
https://www.hardill.me.uk/wordpress/2021/02/07/adding-a-tpm-to-my-offline-certificate-authority/

I will try to do some of this work if I can get it running.
-Vince-

-- 
You are receiving this mail because:
You are the assignee for the bug.