From: Benjamin Drung <benjamin.drung@profitbricks.com>
To: "Môshe van der Sterre" <me@moshe.nl>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
linux-efi@vger.kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Read-protected UEFI variables
Date: Wed, 14 Feb 2018 20:05:57 +0100 [thread overview]
Message-ID: <1518635157.4749.50.camel@profitbricks.com> (raw)
In-Reply-To: <e04b687f-30cd-c200-d08f-36b7dcc582a6@moshe.nl>
Am Mittwoch, den 14.02.2018, 19:18 +0100 schrieb Môshe van der Sterre:
> On 02/14/2018 02:21 PM, Benjamin Drung wrote:
> > If the UEFI is as secure as storing an unencrypted file on a hard
> > drive, I am satisfied. Or do you have a better idea where to store
> > the
> > SSH keys for a diskless system that boots via network?
>
> I assume it would be best to use TPM for this (if your systems have
> TPM chips), it is designed for use-cases like this. Searching for
> "tpm ssh keys" gives a decent amount of results. Mostly targeted at
> user keys instead of server keys, so this might need some tinkering
> to get working.
I check our systems. They just have TPM headers, but no TPM chips
according to the user manual. The directory /sys/class/tpm/ is either
empty or not existing. Adding TPM chips to all servers is no too
expensive (to much man power required). So sadly, this is no option for
us.
--
Benjamin Drung
System Developer
Debian & Ubuntu Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Email: benjamin.drung@profitbricks.com
URL: https://www.profitbricks.de
Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg
next prev parent reply other threads:[~2018-02-14 19:05 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 12:52 Read-protected UEFI variables Benjamin Drung
2018-02-14 13:09 ` Ard Biesheuvel
2018-02-14 13:21 ` Benjamin Drung
2018-02-14 13:21 ` Benjamin Drung
[not found] ` <1518614486.4749.33.camel-EIkl63zCoXaH+58JC4qpiA@public.gmane.org>
2018-02-14 18:18 ` Môshe van der Sterre
2018-02-14 18:18 ` Môshe van der Sterre
2018-02-14 19:05 ` Benjamin Drung [this message]
2018-02-14 20:33 ` Austin S. Hemmelgarn
2018-02-15 19:04 ` Ard Biesheuvel
2018-02-19 20:24 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518635157.4749.50.camel@profitbricks.com \
--to=benjamin.drung@profitbricks.com \
--cc=ard.biesheuvel@linaro.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@moshe.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.