Does Pureboot need a TPM chip to work, or can the Librem key handle the TPM duties by itself?
We have built PureBoot images for older Librem13v2s that don’t have a TPM. In that case, instead of sending measurements to the TPM, Heads uses the firmware measurements themselves as a shared secret that’s stored on the Librem Key. It then converts it to an HOTP code it sends to the Librem Key and if it matches what the Librem Key itself generates, it blinks the green light.
Using a TPM for this is better, and reading the complete measurements of the ROM make the initial boot take quite a bit longer, but it’s better than nothing.
We are considering a similar approach when we port PureBoot to the Librem 5 as it also does not have a TPM.
3 Likes
This might be better as a separate post but it relates to this question.
Given that Pureboot works without a TPM (see OP) and that I can arbitrarily reset the TPM Owner passphrase/PIN in heads I don’t see the point of having to keep track of a TPM owner passphrase/PIN.
So far, I have only seen TPM Owner password (PIN) requested when signing files in /boot. If that is all, heads should generate a random one when files are signed and just use it. The signatures are based on the librem key. Why is TPM needed–in fact it’s not according to OP.
It’s better you say but in what way? Is it better to use the process or to have another PIN? Can we still use the TPM process with librem key but ignore the TPM PIN like we do with LUKS. I dont know the passphrase used on my disk with luks when using the librem key because the infrastructure protects it. All I use is the librem key user PIN.
I recently had to reset the TPM because it is yet another secret that I have to keep track of and lost it. If it can be reset arbitrarily, what is the point of knowing it? Are we planning to use it in future stuff? If so, can we not use the librem key PINS?
The number of pins and passphrases is an operational security problem that I thought the librem key was helping us with. there are too many.
- librem key admin pass
- librem key user pass
- tpm owner pass
- encrypted luks partition pass (can be deleted or ignored after librem key +LUKS is setup)
- root password on OS (maybe multiple)
- user password on OS (maybe multiple)
- hundreds of other passwords (maybe protected by some other password in a wallet/manager/etc.)