On Thu, Dec 6, 2018 at 3:13 AM Javier Martinez Canillas
<javierm(a)redhat.com> wrote:
> On 05-12-18 23:58, Chris Murphy wrote:
>> b. Windows laptops have TPM 2.0 which I can't get to
work on Linux
>> (works fine on Windows 10).
>>
https://bugzilla.kernel.org/show_bug.cgi?id=185631
This seems to be a driver issue. Bugzilla usually is not the best
channel to
report kernel issues but instead the subsystem mailing list. For TPM this is
linux-integrity(a)vger.kernel.org. Could you please post your issue there?
Yes.
>> c. Can a TMP be reliably shared by both Windows and Fedora in a dual
>> boot configuration?
>
> Javier, Peter, can you answer this please ?
>
This is a two part question I think. First is the measurements and since the
BitLocker seals against a PCR state when booting with the Windows bootloader
this means that we can't chain-load Windows from grub2 since the measurements
would be different and prevent BitLocker to unlock the encrypted disk.
So for this case Windows has to be booted using the EFI firmware and having a
separate boot entry. This is my understanding at least, I don't have a Windows
installation to test.
The second part is the key management. Clevis currently expects that the key
hierarchies are not password protected. This is because asking the user for a
password would defeat the purpose of automatically unlocking the LUKS volume.
Why bother encrypting anything if it's going to be automatically
unlocked just by booting? If the login window is a sufficient barrier
to exfiltrating and modifying user files on an unlocked volume, then
it's a sufficient barrier for an unencrypted volume because it is in
effect a plaintext volume, automatically without a passphrase, merely
when powered on.
Also fscrypt is only supported by ext4, right? It would be better fo
find a
solution that wouldn't impose a specific filesystem to the user.
fscrypt is today supported by ext4, f2fs, and UBIFS. There are plans
to support XFS and Btrfs but I have no idea what their time frames
are, reflinks and snapshots add complications.
--
Chris Murphy