TPM usage
John Smiley
TPM with proper BIOS support (required for Anti Evil Maid)
Is that it?
Qubes does not use the TPM for disk encryption?
unman
If you want to have luks+TPM you could set this up, but it isnt
supported on a Fedora install afaik
John Smiley
Ivan Mitev
On 12/15/18 8:00 AM, John Smiley wrote:
> So Xen just sets up LUKS without the TPM even if it’s there?
(eg. initramfs-4.14.[...].img).
You'll have to tweak the ramdisk if you want to unlock your luks volume
with TPM. There's probably some doc on the web about how to do that (try
to search if it's been done on Fedora since Qubes is based on it).
John Smiley
Bjoern Christoph
> I thought that the TPM provided hardware accelerated block encryption ciphers in addition to key storage. The Wikipedia page for TPM certainly makes it sound that way but I can find nothing indicating that LUKS uses those capabilities when present.
The TPM features afaik a random number generator (which Linux correctly does not trust but uses as additional input), encryption ciphers and data storage.
E.g. meaning you input some data, store it in the TPM chip in encrypted format and can later verify a given input against the existing encrypted data. That way you do not expose the encrypted data which would be the basis for attacks on it. Without the knowledge of what you are looking for you would need to use brute force attacks which TPM prevents (iirc it will even destroy the TPM hardware internally to make this attack impossible).
But it surely does not have "hardware acceleration" in the sense that you input data, state to execute AES256 on it and get the data back. The bus is too slow for that and that's not the use case either.
So maybe you can use LUKS in the sense that it checks the password you entered against that stored on the TPM but that is all.
And to make it worse - Linux does not yet support TPM 2.0 properly, so if that is what your board offers LUKS wont work with it (I guess). Qubes for example cannot use the TPM I bought as it' 2.x.
And although my board features a TPM slot for 1.x and 2.x - the 1.x TPM chip, if it would work, is a magnitude more expensive and very hard to get.
unman
> So Xen just sets up LUKS without the TPM even if it’s there?
>
If you want to use TPM+luks you can do so, but not on install by
default.
Eric Duncan
TPM is not used by Qubes by default.
The additional hardening featured called AEM (Anti-Evil Maid) is the only feature of Qubes that uses the TPM.
One thing to note: there are LUKS+TPM versions out there. But my research led me to older versions that don't work on the newest TPM chips.
Also, most govt bodies will have access to the TPM chip to download the binary since they have the root CA used for the bios secure boot. So it won't prevent them access to the TPM keys.
Therefore, it's best to think of TPM as two-factor auth: always combine your long passphrase + TPM for a combination that will be unique. And the LUKS+TPM project is dead for that. So oh well...
AES hardware acceleration happens in your CPU, FYI. And usually the more higher end ones.
brenda...@gmail.com
> AES hardware acceleration happens in your CPU, FYI. And usually the more higher end ones.
I would wager that any CPU that meets the Qubes R4 requirements (e.g. Intel VT-d + EPT or similar AMD features) assuredly implements the AES-NI opcodes.
Not that what you said indicates otherwise, but just to clarify. :)
Brendan
Eric Duncan
True true. Though, I've had an old Core i5 that did not have AES-NI... And yet, the N4200 Pentium quad core in my tiny UP Squared does! Go figure.