>> I can't tell from the instructions how the FDE encryption key is stored -- do we manually seal it to the TPM and then manually unseal and copy/paste it every time we boot? Or is it assumed the user will write a script to handle this -- a script which itself will have to be measured by the TPM?
> This is not possible with the current version. The Masterthesis was
> about answering this Question: Did unencrypted software change since
> the last time the user operated this system.
> What exactly is your use case? Do you want a system with FDE that does
> not prompt you for the encryption key or do you want to improve the
> security by storing a part of the key material inside the TPM while the
> other half is provided by a user password?
> There are a lot of possibilities with a available TPM on boot, so if
> you have a specific use case we can tailor that right in.
> Before we do that i think it is important to make this feature a lot
> easier to install. Following this manual, patching and compiling source
> code and updating the MBR and biosboot is not something the user should
> have to worry about.
> The problem is, in order to make space for this feature in the MBR as
> well as in biosboot i had to remove the code responsible for loading a
> block from disk via CHS. This is obviously not acceptable if this should
> be integrated back into OpenBSD.
> One possible solution would be to let the MBR and biosboot grow bigger
> than 512 byte and let installboot(8) figure out what the user needs and
> remove code paths that are not used to get the binary back to 512 byte.
> Everything else i thought of involves recompiling.