Page MenuHomeVyOS Platform
Create Task
Maniphest T4919

TPM-backed config encryption
In progress, WishlistPublicFEATURE REQUEST
Actions

Description

Looking into viability of adding support for TPM-backed encryption of /config data

Various factors to consider:

  • Which PCRs to require to ensure hardware/software integrity (End user configurable?)
  • Handling failed config decryption on boot (Fallback config?)

Details

Difficulty level
Hard (possibly days)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

sdev created this task.Jan 6 2023, 7:44 PM
sdev claimed this task.Jan 6 2023, 7:48 PM
sdev triaged this task as Wishlist priority.
sdev changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
sdev changed Version from - to 1.4.
syncer changed the task status from Open to In progress.Jan 6 2023, 10:04 PM
c-po awarded a token.Jan 7 2023, 8:36 AM
pasik added a subscriber: pasik.Jan 7 2023, 11:23 AM
sdev added a comment.Jan 7 2023, 12:03 PM

Draft PR: https://github.com/vyos/vyos-1x/pull/1740

Viacheslav added a project: VyOS 1.5 Circinus.Sep 1 2023, 8:07 AM
fernando added subscribers: Viacheslav, c-po, fernando.Sep 6 2023, 1:28 PM

@sdev take a look over these repository :

https://github.com/stefanberger/swtpm/tree/master

https://github.com/stefanberger/swtpm/wiki

It appears to be the most straightforward and run several virtual environments @Viacheslav @c-po

sdev added a comment.Sep 13 2023, 9:35 AM

@fernando See here: https://github.com/vyos/vyos-build/pull/297

Once the new install tools are complete and merged into 1.5, I will update the TPM PRs and mark them ready for review.

fernando added a comment.Sep 13 2023, 4:39 PM

@sdev greats !!!

GernhardReinlunzen added a subscriber: GernhardReinlunzen.Sep 16 2023, 1:42 PM