TPM 2.0 with Cr50

[ChocolateLoverRaj]

It would be really convenient having automatic LUKS unlocking with TPM on Chromebooks, but it doesn't work rn. Are there plans for it to be implemented?

[MrChromebox]

there's nothing I can do about the fact that the CR50 is not a full TPM 2.0 implementation. I'm not sure if it's sufficient for what you're asking

[tlaurion]

@MrChromebox tpm2-software/tpm2-tools#3434

Blocker for linuxboot/heads#1658 (comment) (TPM released Disk Unlock Key: sealing of secret in nvram fails)

[MrChromebox]

@MrChromebox tpm2-software/tpm2-tools#3434

Blocker for linuxboot/heads#1658 (comment) (TPM released Disk Unlock Key: sealing of secret in nvram fails)

@tlaurion CR50 is not a fully TPM 2.0 compliant implementation, as per my comment above. I don't think there's anything missing from the firmware init, other TPM 2.0 chips are fine

[tlaurion]

@MrChromebox tpm2-software/tpm2-tools#3434

Blocker for linuxboot/heads#1658 (comment) (TPM released Disk Unlock Key: sealing of secret in nvram fails)

@tlaurion CR50 is not a fully TPM 2.0 compliant implementation, as per my comment above. I don't think there's anything missing from the firmware init, other TPM 2.0 chips are fine

tpm2-software/tpm2-tools#3434 (comment)

Two secrets are sealed with same policy, one succeeds (TPM totp with tpm2), where sealing TPM disk unlock key in seperate nvram region fails.

Two logs provided at linuxboot/heads#1658 (comment)

[MrChromebox]

@tlaurion again I'm not sure what I can do from the firmware init side, or even what you're asking for.

[tlaurion]

@tlaurion again I'm not sure what I can do from the firmware init side, or even what you're asking for.

tpm2-software/tpm2-tools#3434 (comment)

Feature missing from tpm2 implementation, so nothing you can do.