TPM implementation

TPM is just a convenience feature then, it does not increase your security.

I don't. After every startup, I ssh into my device and manually open the LUKS partition. Nothing automatic there.

1 Like

In your paradigm, the router is not [more] protected:

  • you encrypt
  • you place the partition's key in the device's TPM
  • you configure the router to boot automatically
  • the settings are accessible after power on
  • If the hard drive was stolen, the router wouldn't work anyway

This is identical to an unencrypted router.

So...what prevents a malicious actor from altering a running config and applying it/rebooting?

This only protects you from a malicious actor stealing the powered-off router's HDD, and altering/stealing configs without your knowledge (until after the fact). The powered-on router is still vulnerable.

Well that would need to be installed too.

I also cannot load the infineon SLB 9670 tpm device on the openwrt system. Have you solved it now? But I can load tpm on other Linux systems