
Linux disk encryption using hardware TPM (Trusted Platform Module) - auslander
https://github.com/morbitzer/linux-luks-tpm-boot
======
auslander
Update. There were successful TPM attacks by sniffing data from LPC bus wires
connecting TPM chip by HW logic analysers. The data is unecripted. "TPM2.0
devices support command and response parameter encryption, which would prevent
the sniffing attacks. Windows doesn’t configure this though,". This prevents
bare-metal in datacenter use case.

[https://pulsesecurity.co.nz/articles/TPM-
sniffing](https://pulsesecurity.co.nz/articles/TPM-sniffing)

------
usr1106
What version of TPM does this apply to? I've yet to dig deeper into TPM, but
what I have read so far is that TPM 1.2 is a nightmare, but TPM 2.0 starts to
get reasonable.

~~~
cmurf
TrouSerS and tpm-tools supports TPM 1.2, and tss2 with tpm2-tools supports TPM
2.0. Also, I'm not aware of any hardware with BIOS firmware and TPM 2.0 even
if nothing prevents the combination, TPM 2.0 post-dates UEFI. Consumer
hardware circa 2016 is when I started seeing predominantly TPM 2.0 appearing.

~~~
auslander
Yes, the TrustedGRUB2 doesn't yet support UEFI. I wonder will the guide still
work if I simply boot in BIOS mode. All motherboards give you both boot
options for any bootable drive.

~~~
cmurf
Most, but not all boards with UEFI offer a compatibility support module to
present a faux BIOS to the bootloader and OS. The presentation of both options
is misleading, in particular the ones that refer to it as "UEFI
enable/disable". Anyway if you boot with the faux BIOS, trustgrub2 will work,
but no idea whether the TPM is supported via that CSM interface.

------
auslander
My (too simple) TLDR from other thread:

TPM measures stuff, then we put the key in TPM and seal it to PCRs 0-13
measurements (whole boot environment). At boot, TPM will allow tcsd daemon
(part of initrd) to read LUKS key once, and only if all measurements match,
this is as far as I got. End result is unlocked volume, without any passphrase
prompts, neither on console nor via ssh.

[https://news.ycombinator.com/item?id=19527493](https://news.ycombinator.com/item?id=19527493)

