systemd and TPM2 Features in Linux - Current State and Future Developments

Explore the integration of systemd and TPM2 in this comprehensive conference talk by Lennart Poettering from Microsoft. Delve into existing and upcoming TPM2-related features in systemd, the system and service manager for most contemporary Linux distributions. Learn about TPM2-based disk unlocking, PCR hash and signed PCR policies, and system and service credentials encrypted/authenticated to TPM2 keys. Discover systemd's TPM2 logic for Confidential Computing, measurement of system and file system identity, volume encryption keys, and pre-boot TPM2 hook-up in systemd-stub UEFI stub. Understand automatic enrollment to encrypted volumes using TPM2 at boot, boot phases and PCR measurements, and the importance of reproducible and deterministic PCR measurements. Gain insights into system epcr, system PCR, system DOS, UKI, FY, systemd credentials, and non-destructive weaknesses. Examine symmetric and asymmetric unlocking methods, and explore the absence of a signature scheme. Conclude with a Q&A session covering systemd and Linux-related topics.

Start
Goals
Current state
System epcr
System PCR
System DOS
Summary
UKIFY
Systemd credentials
Systemd creds
Systemd part
Nondestructive
Weaknesses
Symmetric asymmetric unlocking
No signature scheme
QA
Systemd
Linux