Automatic GELI passphrase from TPM2 - ensuring that the next stage is secure



Reaction score: 21
Messages: 48

Hello All, I am working on /usr/src/stand/efi/loader to enable reading a GELI passphrase from TPM2. I am almost there TPM2-wise, however in order to make the automatic boot secure I need to make sure that, whatever is booted next, cannot retrieve the kern.geom.eli.passphrase kernel environment variable UNLESS the kernel, modules and the root filesystem are placed on the GELI device decrypted using that passphrase. I do not suspect that receiving an answer on the forums is possible but could you please recommend the appropriate Mailing List to reach out to the developers with the best chance of having the required know-how? Thank you in advance.

My question would be - what is the best way to architecture this solution? Is there a single point in the bootloader where one can ensure that the kernel, modules and root filesystem are placed on the appropriate GELI device and unset the kern.geom.eli.passphrase otherwise?