Description

With systemd we can implement a full disk encryption solution. There is full support of it for Tumbleweed and MicroOS, and has the advantage of being implemented as a set of user-space tools.

With systemd-cryptenroll we can make enrollment of a TPM2, that will seal a LUKS2 key, and this key will be deliver to systemd-cryptsetup if the health of the systems is assessed, meaning that no component of the boot chain (from the firmware until the kernel, initrd and command line) has been altered, and we are in a good situation. When enrolling the TPM2 we can also register a PIN (tpm2+pin), so besides the validation of the system, the TPM2 will only unseal the key if the user can deliver the secret PIN.

Another option is to enroll a FIDO2 key, that will validate that the user that is unlocking the system is the expected one, as is the owner of the physical key.

Goals

With this Hack week project we want to combine both components in a single one (tpm2+key), not very different from tpm2+pin, so the device will open only if the system is checked as healthy AND the user is in possession of the FIDO2 key

We have different approaches for that. The direct one is to use the hmac byte stream generated by the FIDO2 as a PIN for the tpm2+pin model. Another option (preferred) is to research the feature of the TPM2 that can pull an input from an external device after the check of the PCR policy.

Resources

• https://github.com/systemd/systemd
• https://trustedcomputinggroup.org/resource/a-practical-guide-to-tpm-2-0/