Date: 2017-07-18 02:32 pm (UTC)
s/from the TPM//

The TPM isn't the only place we want secrets from at early boot. Additionally, we may want to use TPM as a piece of a large policy involving other sources.

The clevis[0] project already does this. We also ship in RHEL 7.4 and Fedora 26+. Although this initial release doesn't support TPM, we already have an active pull request for TPM support which will land in the next version.

The main challenge I see with this proposal is bringing up additional hardware (such as network). Dracut already supports this. But I assume that by "small" you are also implying "not dracut."

Another alternative is to perform all our key recovery in UEFI, which already has (hit or miss) network support and pass the key to the (trusted) kernel from there.

However, we would very much like to be in the loop of whatever you're planning.

Identity URL: 
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


If you are unable to use this captcha for any reason, please contact us by email at

Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags