[systemd-devel] PCR signing / enrolling on UKI and validation by systemd-cryptenroll
Lennart Poettering
lennart at poettering.net
Thu May 30 21:26:52 UTC 2024
On Do, 30.05.24 17:08, Demi Marie Obenour (demi at invisiblethingslab.com) wrote:
> > Hmm, this is an interesting idea, I kinda like it. But I am not sure
> > how far this will get us, because I think even for FDE we eventually
> > want to store asymmetric keys, not symmetric ones (i.e. I think we
> > should start supporting things like TPM2+FIDO or TPM2+PKCS11 or
> > TPM2+ssh-agent where both devices operate in tandem, in a challenge
> > response model, not sure how far you get with that if we can only
> > protect symmetric keys)
>
> How would TPM2+FIDO work?
chromeos is passing a nonce from the tpm to the fido device, which
then signs it, which the tpm then can verify.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list