1868681 – RFE: If choosing disk encryption and there's a TPM2 available optionally enroll credentials in the TPM2 for automated unlock

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1868681 - RFE: If choosing disk encryption and there's a TPM2 available optionally enroll credentials in the TPM2 for automated unlock

Summary: RFE: If choosing disk encryption and there's a TPM2 available optionally enro...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	anaconda
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Anaconda Maintenance Team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1869299
TreeView+	depends on / blocked

Reported:	2020-08-13 13:14 UTC by Peter Robinson
Modified:	2020-08-26 11:29 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1869299 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
anaconda-ks-tpm2.cfg (1.60 KB, text/plain) 2020-08-26 11:29 UTC, Javier Martinez Canillas	no flags	Details
View All

Description Peter Robinson 2020-08-13 13:14:35 UTC

TPM2 modules are now widely available due to Microsoft mandating them for Windows 10 logo certification, and next year will be a requirement for Windows Server. They are essential for device edge and IoT.

Add the ability to auto enroll credentials into a TPM2 if the required components are available in the install. Support doing this via both the UX and kickstart.

The software components are: clevis, clevis-luks, clevis-dracut, clevis-systemd and soon clevis-pin-tpm2 (new component required for some usecases with secureboot).

There requires to be a TPM2 module at /dev/tpmX and the TPM2 kernel resource manager will be used if available (/dev/tpmrmX).

Comment 1 Javier Martinez Canillas 2020-08-26 11:29:29 UTC

Created attachment 1712674 [details]
anaconda-ks-tpm2.cfg

I'm attaching an example kickstart file that finds a LUKS volume and binds it to the clevis tpm2 pin.

The heuristic to find the LUKS volume is not nice but at least should give an idea of the functionality that is needed for this RFE.

Note You need to log in before you can comment on or make changes to this bug.