Currently a key rotation via fdectl regenerate-key is used to revoke all released tpm2 sealed keys. However the procedure can be a bit risky as the result to change key slots. Using tpm2 policynv may provide better approach in this regard given a counter or timestamp can be matched to validate tpm keys before using it.
Goal for this Hackweek
- Write a POC of using policynv in the session of authorized PCR policy to validate a sealed key
- Make pcr-oracle able to create nv index and use policynv to authorize keys against counter or timestamps in the index
- Make policynv support in grub and it's tpm2 protector can use it in the key unsealing process
- If it is ok, fde-tools may use it as another method to invalidate old keys to prevent rollback attack
Looking for hackers with the skills:
Nothing? Add some keywords!
This project is part of:
Hack Week 23
This project is one of its kind!