使用带有Raspberry Pi的TPM以无人参与模式启动LUKS加密分区
[英]Use TPM with Raspberry Pi to boot LUKS encrypted partition in unattended mode
问题描述
I need to boot Raspberry Pi with LUKS encrypted root partition in unattended mode. 
我需要在无人值守模式下使用LUKS加密的根分区启动Raspberry Pi。 As I understand for this task I can use TPM (Trusted Platform Module) chip (that I can integrate with RaspberryPi using extension board) and tpm-luks. 据我所知,我可以使用TPM(可信平台模块)芯片(我可以使用扩展板与RaspberryPi集成)和tpm-luks。 I'd like to know if it's really possible to use TPM module in RaspberryPi to automatically validate boot partition integrity and get the key to decrypt root partition using TPM chip. 我想知道是否真的可以在RaspberryPi中使用TPM模块来自动验证启动分区的完整性,并获得使用TPM芯片解密根分区的密钥。
2 个解决方案
解决方案1
1 已采纳 2015-07-14 19:10:37
No, it's not possible. 不,这是不可能的。 The TPM is a passive device, it cannot "validate boot partition integrity". TPM是被动设备,它不能“验证启动分区完整性”。 To ensure integrity of any kind you need a root of trust for measurement, which is never the TPM. 为了确保任何类型的完整性,您需要一个信任根来进行测量,这绝不是TPM。 You would need a trusted and locked down firmware that functions as such a RTM. 您需要一个可信和锁定的固件,它可以像RTM一样运行。 You don't have that in the Pi's proprietary firmware. 你没有Pi的专有固件。
解决方案2
1 2016-11-18 20:06:33
Full disclosure, I'm co-founder of Zymbit. 完全披露,我是Zymbit的联合创始人。 We have developed Zymkey, a Root of Trust module for Raspberry Pi and are working on LUKS-based filesystem encryption. 我们开发了Zymkey,Raspberry Pi的Root of Trust模块,正在开发基于LUKS的文件系统加密。
We have secrets, file and volume encryption; 我们有秘密,文件和卷加密; and are still developing full-disk encryption. 并且仍在开发全盘加密。 Zymkey can be used for more as well. Zymkey也可以用于更多。 Please check it out. 请检查一下。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.