Add TPM with PCR binding example #431
Comments
|
Note that we currently can't bind to PCR 8 because we change the kernel command line on every OS update. |
|
IIUC, the values can change by updating UEFI firmware/certificates (e.g. via fwupd). We should make sure to note this and include instructions for updating the Clevis binding in that situation. |
|
The PCR 7 value should be the Secure Boot certificate only from memory and should not be affected by other things changing. |
|
@travier Do you think I should add steps to on how to emulate a TPM2.0 device for development in the documentation as well? A significant portion of getting TPM working and binding the the disk encryption to PCR 7 was setting up the Fedora CoreOS VM correctly. Or should we assume that developers reading the documentation will be working with real machines that have physical TPM devices? |
|
If you run it with If you've found a good resource to setup a virtual TPM with libvirt then we could link to it but otherwise I think it's a bit out of scope for the documentation. |
|
With I think improving the ergonomics of all of this relates to coreos/fedora-coreos-tracker#235
|
|
I had a look at this source, but it didn't seem to work for my dev environment. I ended up using this method: https://en.opensuse.org/Software_TPM_Emulator_For_QEMU and modified the bash script listed in the Fedora CoreOS documentation: https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-libvirt/ |
From:
add an example to the docs that binds the LUKS disk encryption to the TPM's PCR 7 value.
The text was updated successfully, but these errors were encountered: