Page MenuHomeVyOS Platform

TPM-backed config encryption
Closed, ResolvedPublicFEATURE REQUEST

Description

Looking into viability of adding support for TPM-backed encryption of /config data

Various factors to consider:

  • Which PCRs to require to ensure hardware/software integrity (End user configurable?)
  • Handling failed config decryption on boot (Fallback config?)

Details

Version
1.5
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

sarthurdev triaged this task as Wishlist priority.
sarthurdev edited a custom field.
sarthurdev changed Version from - to 1.4.
syncer changed the task status from Open to In progress.Jan 6 2023, 10:04 PM

@sdev take a look over these repository :

https://github.com/stefanberger/swtpm/tree/master

https://github.com/stefanberger/swtpm/wiki

It appears to be the most straightforward and run several virtual environments @Viacheslav @c-po

@fernando See here: https://github.com/vyos/vyos-build/pull/297

Once the new install tools are complete and merged into 1.5, I will update the TPM PRs and mark them ready for review.

sarthurdev changed the task status from In progress to Needs testing.Feb 20 2024, 11:49 AM
sarthurdev removed a project: VyOS 1.4 Sagitta.
sarthurdev changed Version from 1.4 to 1.5.
sarthurdev moved this task from Open to In Progress on the VyOS 1.5 Circinus board.
sarthurdev moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.