Timeline for Does systemd-cryptenroll encryption with a TPM bind decryption to that TPM?
Current License: CC BY-SA 4.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 15 at 4:26 | comment | added | grawity | @Hari: A policy is literally a set of conditions – in this case the conditions would be such as "PolicyPCR(pcrs=[1,7] values=[12345,67890])" requiring given PCRs to match given values, that can be included with the sealed data. | |
| Sep 15 at 2:54 | vote | accept | Hari | ||
| Sep 15 at 2:47 | comment | added | Hari | @grawity Could you explain a bit more? I still haven't fully understood what a "policy" is. I actually asked a question about that on a separate stack exchange since I thought it was more general than being *nix-specific | |
| Sep 14 at 15:15 | comment | added | grawity | The PCRs are not used in combination with the secret key. (The policy language is not limited to just the PCRs, either; it could e.g. check a password, and even has 'or' conditionals.) Instead, the TPM first decrypts the data+policy internally using only its secret key – holding the decrypted result in its own RAM, which is assumed as tamper-proof as its persistent secret-key storage – and if the PCRs have incorrect values (or more generally, the policy evaluation fails) then it refuses to return the result. | |
| Sep 14 at 11:42 | history | edited | telcoM | CC BY-SA 4.0 | added 607 characters in body |
| Sep 14 at 11:24 | history | edited | telcoM | CC BY-SA 4.0 | added 258 characters in body |
| Sep 14 at 9:00 | history | answered | telcoM | CC BY-SA 4.0 |