[systemd-devel] dm-integrity volume with TPM key?
Sebastian Wiesner
sebastian at swsnr.de
Fri Oct 8 19:15:12 UTC 2021
Am Montag, dem 04.10.2021 um 14:49 +0200 schrieb Lennart Poettering:
> On Do, 30.09.21 21:20, Sebastian Wiesner (sebastian at swsnr.de) wrote:
>
> > Hello,
> >
> > thanks for quick reply, I guess this explains the lack of
> > instructions
>
> btw, coincidentally this was posted on github on the day you posted
> this:
>
> https://github.com/systemd/systemd/pull/20902
>
> so hopefully we'll have te missing tools in place soon too.
Great, so it looks as if everything's in place with systemd 250
perhaps?
> > As a workaround you'd use a regular file key for dm-integrity and
> > put
> > that on a TPM-protected partition, if I understand you correctly?
>
> yes.
>
> > I.e. you'd
> >
> > 1. enable secureboot (custom keys or shim),
> > 2. bundle kernel & initrd into signed UEFI image for systemd-boot,
> > 3. make / a LUKS-encrypted parition with systemd-cryptenroll, bound
> > to
> > the TPM (perhaps PCR 0 and 7) aund unlocked automatically at boot,
>
> only pcr 7, for the reasons explained in the blog story.
Alright :)
> > 4. make /home a dm-integrity partition, with a regular keyfile from
> > e.g. /etc/integrity.key (which is on the encrypted partition), and
>
> actually, after thinking a bit more about this I figure the ultimate
> path for this would be /etc/integritysetup-keys.d/home.key – because
> we already implemented in systemd-cryptsetup a scheme where we search
> for the encryption key for volume xyz in
> /etc/cryptsetup-keys.d/xyz.key, and we should probably do it similar
> for verity keys, too.
>
> > 5. use homed for LUKS-encrypted home areas on /home?
> >
> > Does this sound reasonable?
>
> Yes!
Thanks :) Looking forward to try this.
Cheers,
Basti
More information about the systemd-devel
mailing list