Morten Linderud
Morten Linderud
>I probably thought way too naive about this, I just thought of a cmdline similar to systemd-cryptenroll --tpm2-pcrs=0+7, and that it could look at the current value of those PCRs...
I'm a bit stuck on trying to understand how I should best implement Policy sessions for the keys and also support resealing through `ObjectChangeAuth`. The ACL model of the TPM...
Hm, I have sorta been able to write up a thing where even if the key is created with an auth value that has a policy policy with a PolicyPCR...
After batting my head with some new knowledge I've come to a couple of realizations. The way people usually deal with this is a combination of `TPM2_PolicyAuthorize` and `TPM2_PolicySigned` which...
I'm not too impressed by the clevis implementation either. See: https://github.com/latchset/clevis/issues/121
Sure, but then you are now dealing with two keys. One key which is the ssh key, and one key to sign the policy. What do we do with this...
Is the issue here that `ssh-tpm-agent` doesn't support the SSH Certificate keys or that forwarding with ssh-tpm-agent as a ssh-agent proxy isn't working correctly?
I need time to actually read up and understand the certificate implementation to figure out what the current code is missing. Atm its very fuzzy for what needs to be...
Please check if this works for you: https://github.com/Foxboron/ssh-tpm-agent/commit/672ee74c9b4fe4a14d2a458d49667ca28f2193c0
I see the cert when I forward the agent now so I'll close this issue as solved unless there are more issues. https://github.com/Foxboron/ssh-tpm-agent/commit/672ee74c9b4fe4a14d2a458d49667ca28f2193c0