Yes, I'm talking about the key the TPM returns. According to https://github.com/systemd/systemd/blob/25d9c6cdaf82d3f627db92b69f3be3e2a68e06fa/src/cryptenroll/cryptenroll-tpm2.c#L269, this gets base64-encoded and then used just like any passphrase.
And in line 265, is forces libcryptsetup to use a minimum version of PBKDF2.
It seems they assume the key returned by the TPM has a high enough entropy to make a proper KDF unnecessary. Is this a valid assumption?
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: systemd-cryptenroll
Date: 2023-04-18 07:55 am (UTC)And in line 265, is forces libcryptsetup to use a minimum version of PBKDF2.
It seems they assume the key returned by the TPM has a high enough entropy to make a proper KDF unnecessary. Is this a valid assumption?
-- sur5r