SSS/Tang regenerate with multiple locations #446
Comments
|
Hello @felsgaertner . Regarding your second question: yes, you should be able to configure nested "sss" pins. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a follow-up for #444
With luks bind I have to provide a pin config that might in addition carry the advertisements of tang servers I cannot reach, see comment #444 (comment)
Unfortunately this is not possible with regen, since I cannot provide those additional offline advertisements.
So I have to unbind and then bind again. It would be nice to have a way to provide those offline advertisements to regen as well.
My current pin config reads:
{ "t": 2, "pins": { "tpm2": { "pcr_bank": "sha256", "pcr_ids": "1,4,5,7,8" }, "tang": [ { "url": "http://server.1", "adv": { "payload": "eyJrZXlzIjogW3si...lmeSJdfV19", "protected": "eyJhbGci...iJ9", "signature": "AakEL-AX...PMo" } }, { "url": "http://server.2", "adv": { "payload": "eyJrZXlz...dfV19", "protected": "eyJhbG.iJ9", "signature": "ATUMB...9fnBbzv" } } ] } }Only one of those servers is available at a specific time.
And BTW - can I nest SSS pins to have another SSS within the above config? I.e.
{ "t": 2, "pins": { "tpm2": { "pcr_ids": "1,4,5,7,8" }, "sss": { "t": 1, "pins": { "tang": [ { "url": "http://1" }, { "url": "http://2" } ] } } } }The text was updated successfully, but these errors were encountered: