https://openid-provider.appspot.com/neversphere ([identity profile] https://openid-provider.appspot.com/neversphere) wrote in [personal profile] mjg59 2023-12-10 04:19 pm (UTC)

> We can't use the TPM because there's no secure communications channel between the fingerprint reader and the TPM, so we can't configure the TPM to release secrets only if an associated fingerprint is provided.

Is there no privative in fingerprint readers to sign a blob only when a valid fingerprint is provided? If so you could do something like:

1) Gnome tells the TPM to start an unlock action
2) TPM generates a nonce which includes time, returns it so Gnome
3) OS sends this off to fingerprint reader
4) OS prompts the user to touch their fingerprint
5) Fingerprint matches, reader signs the nonce, returns it to OS
6) OS returns it to TPM
7) TPM verifies signature, ensures time is within acceptable window, returns secret

Post a comment in response:

If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org