Use TPM with Raspberry Pi to boot encrypted LUKS partition in automatic mode

Question

Use TPM with Raspberry Pi to boot encrypted LUKS partition in automatic mode

I need to boot a Raspberry Pi with an encrypted LUKS root partition in unattended mode. As I understand for this task, I can use a TPM (Trusted Platform Module) chip (which I can integrate with RaspberryPi using an expansion board) and tpm-luks. I would like to know if it is actually possible to use the TPM module in RaspberryPi to automatically check the integrity of the boot partition and obtain the key to decrypt the root partition using the TPM chip.

+3

arm raspberry-pi tpm

user1780084 13 jul. At 20:09

source to share

2 answers

Full disclosure, I am the co-founder of Zymbit. We developed Zymkey, a Root of Trust module for the Raspberry Pi, and are working on LUKS-based file system encryption.

We have secrets, file and volume encryption; and are still developing full-disk encryption. Zymkey can be used for more too. Please check it.

+1

berto 18 nov. 16 at 20:06

source to share

Scolytus · Accepted Answer · 2015-07-14T19:10:37+0000

No, It is Immpossible. The TPM is a passive device, it cannot "verify the integrity of the boot partition". For any type of integrity, you need a measurement root of trust, which is never a TPM. You will need a reliable and locked firmware that will work as such for RTM. You don't have this in the proprietary Pi firmware.

Use TPM with Raspberry Pi to boot encrypted LUKS partition in automatic mode

More articles: