mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-10-27 14:31:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
4,767 Commits 28 Branches 542 Tags
Commit Graph

3 Commits

Author SHA1 Message Date
Andrey Smirnov
cf5effabb2
feat: provide an option to enforce SecureBoot for TPM enrollment 
Fixes #8995

There is no security impact, as the actual SecureBoot
state/configuration is measured into the PCR 7 and the disk encryption
key unsealing is tied to this value.

This is more to provide a way to avoid accidentally encrypting to the
TPM while SecureBoot is not enabled.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
 2024-07-11 22:21:47 +04:00
Noel Georgi
166d75fe88
fix: tpm2 encrypt/decrypt flow 
The previous flow was using TPM PCR 11 values to bound the policy which
means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7
which is bound to the SecureBoot state (SecureBoot status and
Certificates). This provides a full chain of trust bound to SecureBoot
state and signed PCR signature.

Also the code has been refactored to use PolicyCalculator from the TPM
library.

Signed-off-by: Noel Georgi <git@frezbo.dev>
 2023-07-14 23:58:59 +05:30
Noel Georgi
79365d9bac
feat: tpm2 based disk encryption 
Support disk encryption using tpm2 and pre-calculated signed PCR values.

Fixes: #7266

Signed-off-by: Noel Georgi <git@frezbo.dev>
 2023-07-12 20:41:28 +05:30