Page MenuHomeVyOS Platform

TPM-backed config encryption
Needs testing, WishlistPublicFEATURE REQUEST

Description

Looking into viability of adding support for TPM-backed encryption of /config data

Various factors to consider:

  • Which PCRs to require to ensure hardware/software integrity (End user configurable?)
  • Handling failed config decryption on boot (Fallback config?)

Details

Difficulty level
Hard (possibly days)
Version
1.5
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

sarthurdev triaged this task as Wishlist priority.
sarthurdev changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
sarthurdev changed Version from - to 1.4.
syncer changed the task status from Open to In progress.Jan 6 2023, 10:04 PM

@sdev take a look over these repository :

https://github.com/stefanberger/swtpm/tree/master

https://github.com/stefanberger/swtpm/wiki

It appears to be the most straightforward and run several virtual environments @Viacheslav @c-po

@fernando See here: https://github.com/vyos/vyos-build/pull/297

Once the new install tools are complete and merged into 1.5, I will update the TPM PRs and mark them ready for review.

sarthurdev changed the task status from In progress to Needs testing.Tue, Feb 20, 11:49 AM
sarthurdev removed a project: VyOS 1.4 Sagitta.
sarthurdev changed Version from 1.4 to 1.5.
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.5 Circinus board.