Conversation
Jarkko Sakkinen
jarkko
Just looking at what #Ubuntu installation stores #NVRAM of #TPM chip when installed with #TPM2 sealed #encrypted boot:
$ sudo tpm2_getcap handles-persistent
- 0x81000001
- 0x81010001
So: I guess the 2nd key, which has a policy bind, is what is “the fast path” with #PCR unsealing, and the first key is “the slow path” unsealed with the value given by snap recovery --show-keys.
Is this how it is laid out?
1
0
0
What puzzles me here is that 0x81010001 is reserved handle by TCG for the endorsement key so why would Ubuntu ever pick that as the NV index?
I'm confused but I barely skimmed the tpm2 tools outputs (tpm2_readpublic etc.).
For any Linux distribution builders out there, please read carefully before making any non-compliant changes: https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
That said I did not investigate this yet properly so forgive me I missed something essential :-)
This is way way too whitepaper'ish and lacks all the details: https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
I'm confused but I barely skimmed the tpm2 tools outputs (tpm2_readpublic etc.).
For any Linux distribution builders out there, please read carefully before making any non-compliant changes: https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
That said I did not investigate this yet properly so forgive me I missed something essential :-)
This is way way too whitepaper'ish and lacks all the details: https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
0
0
0