I wanted to discuss the way the ReInstall Recovery Mode currently works.
It seems like the current status is, if you want to trigger a ReInstall [ which for all intents and purposes is equivalent to a “Factory Reset” ], and you are running in Secured mode [ SB and FDE ], you are responsible to also clearing the TPM.
I have a couple of questions and points on this.
If you are running a Secured Image, and you trigger a ReInstall, it would never work without clearing the TPM. In which case, would it not be reasonable for snapd to do the TPM clearing just before reboot ?
I understand that some platform may behave slightly differently, and even require some user input on the console when you request a TPM clear, but may don’t and it could even be an optional arg to make the clear request when asking snapd to ReInstall.
For our use cases we have tested requesting a TPM clearance [ via mgmt root login ], then triggering a ReInstall, it works.
Perhaps getting snapd to request a clear was considered a security concern. If so, can you expand on that ?
We have our own system agent that talks to snapd. We can try and orchestrate the TPM clearing in or agent instead of snapd. However, looking at the current snap interface definition for TPM, it seems like it does not give access to
/sys/class/tpm/tpm0/ppi/request , which is how we have been clearing the TPM. Am I missing something here ? Can we request a reset via
/dev/tpm instead somehow ?