Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tokyobreakfast 20 hours ago

> an external key file imported into initrd

This is exceptionally poor advice. This is why TPM exists. Unfortunately adoption is low with the Linux crowd because they still believe the misinformation from 20 years ago.

yrro 17 hours ago | parent | next [-]

I've lost faith that Linux distros will ever fix the problem where some PCR changes and the TPM refuses to unseal the key... the user is left with a recovery passphrase prompt & no way to verify whether they have been attacked by the 'evil maid', or whether it was just because of a kernel or kernel command line or initrd or initrd module change, etc.

Joel_Mckay 19 hours ago | parent | prev [-]

It is common to remote mount JBOD over initrd drop-bear ssh using sector level strip signature checking, predicted s.m.a.r.t power-cycle-count/hours/serial, proc structure, and an ephemeral key. SElinux is also quite robust in access permission handling.

TPM collocates a physical key on the same host, incurs its own set of trade-offs with failures or physical access in dormancy, and requires trusting yet another vendor supply chain. There are always better options, but since the Intel Management Engine can access TPM... such solutions incur new problems. Privilege escalation through TPM Sniffing is also rather trivial these days.

Have a great day. =3

dist-epoch 16 hours ago | parent [-]

People stopped using dedicated TPM about 10 years ago exactly because it's trivial to sniff it.

Nowadays you use the fTPM built inside the CPU. And if you don't trust the CPU maker, well, you have bigger problems.

mmh0000 8 hours ago | parent | next [-]

You really shouldn't trust the CPU maker.

On Intel & AMD, both have a "hidden core" (i.e., a 4-core processor is really a 5-core processor), and they run proprietary, closed-source operating systems that literally no one outside of Intel or the NSA has any idea what they do.

We do know it has full access to the fTMP, RAM, and Network.

We also know that the NSA has a special contract to obtain Intel processors with the IME disabled... Why would they want that if the processors were trustworthy[1]?

[1] https://web.archive.org/web/20170830201623/https://hardocp.c...

Joel_Mckay 10 hours ago | parent | prev [-]

A decade old hidden minix OS/IME probably shouldn't be trusted, regardless of company government ownership percentages. My point was the TPM method assumes no one with malicious intent works at these firms for $8/hour, patched your shipment en route as a state sponsored thief, or installs an OS that quietly mirrors keys into the cloud.

The best plans simply don't require secrecy. ymmv

Have a glorious day =3