Changes between Version 29 and Version 30 of venice/secure_boot


Ignore:
Timestamp:
04/22/2024 08:09:20 PM (7 months ago)
Author:
Samuel Lee
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • venice/secure_boot

    v29 v30  
    454454For our demonstration, we will just create some random data to be used as our filesystem encryption key via:
    455455{{{#!bash
    456 dd if=/dev/urandom of=fs.key bs=1 count=4096
    457 }}}
     456dd if=/dev/urandom of=fs.key bs=1 count=128
     457}}}
     458
     459In this example, we're using a 128-byte key to ensure compatibility with both TPM-enabled and non-TPM systems. According to the TPM documentation, the 'tpm2_create' command allows for the creation of a sealing object with a maximum size of 128 bytes, enabling the sealing of user data to the TPM. However, it's worth noting that the 'cryptsetup luksFormat' command supports keyfiles of up to 8192 KiB. If you're operating without a TPM, opting for a longer key generally enhances security.
    458460
    459461The init script we will use can be created like this:
     
    656658                echo "Creating Key from TPM2.0..."
    657659                tpm2_evictcontrol -C o -c $KEY_HANDLE # delete any existing key
    658                 echo "Your Keyphrase (up to 256BYTE)" > $KEY
    659660                tpm2_createpolicy --policy-pcr -l sha1:0,8 -L policy.digest #only sha1 works for our current TPM's PCRs
    660661                tpm2_createprimary -g sha256 -G rsa -c primary.context