tpm-tools discussion
tpm-tools is an important feature in the enterprise from secure boot to 802.1x network authentication.
Blueprint information
- Status:
- Started
- Approver:
- Steve Langasek
- Priority:
- High
- Drafter:
- Stéphane Graber
- Direction:
- Approved
- Assignee:
- Stéphane Graber
- Definition:
- Approved
- Series goal:
- Accepted for precise
- Implementation:
- Beta Available
- Milestone target:
- ubuntu-12.04-beta-2
- Started by
- Stéphane Graber
- Completed by
Related branches
Whiteboard
== Notes from the session ==
Debian dropped tpm-tools from their archive due to lack of maintenance and Ubuntu replicated this change in the Oneiric release. This included dropping non-functional patches to wpa-supplicant and NetworkManager.
Dependencies needed:
libtpm-unseal
libtspi1 (still in main for oneiric)
opencryptoki (still in main for oneiric)
trousers (still in main for oneiric)
Discussion items:
- No debian or ubuntu maintainer
- Methods for utilizing tpm
- whole disk encryption
- 802.1x use case
- trusted boot
- some advantage to having the same person maintain the whole stack, tpm-tools, opencryptoki, etc.
== Actions ==
Work items:
[vorlon] Talk to Martin about how we can provide Debian/Ubuntu maintenance of the tpm packages (tpm-tools, opencryptoki): DONE
[etienne-
[mathieu-tl] Rework the NetworkManager patch for PKCS11/TPM support and push upstream: DONE
[vorlon] Investigate tpm integration for luks (and find someone to give him a laptop he doesn't mind losing his filesystem on)
[vorlon] Investigate machine-based authentication for kerberos via pkinit with tpm
[stgraber] reintroduce tpm-tools to Ubuntu: DONE
[stgraber] Test the tpm-tools + opencryptoki once we have tpm-tools again and post step-by-step instructions on initializing the TPM and using it with PKCS11: POSTPONED
Look at kernel encrypted/trusted keys as an alternative to luks passphrases for full-disk encryption: POSTPONED