[Bug 260138] TPM2 Support in bootloader / kernel in order to retrieve GELI passphrase

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 260138] TPM2 Support in bootloader / kernel in order to retrieve GELI passphrase"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 15 Dec 2021 11:37:52 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260138

--- Comment #1 from s.adaszewski@gmail.com ---
Added hard-coded PCR Extend on PCR8 to secure the case when the passphrase is
stored in the TPM but not retrieved. Bootloader permits the boot of an
arbitrary environment if the passphrase is not retrieved (i.e. no
/.passphrase_marker check), therefore it needs to be ensured that the policy
protecting the passphrase NVIndex includes PCR8 and therefore denies future
access in such a case.

-- 
You are receiving this mail because:
You are the assignee for the bug.