root device / filesystem with TLS protection #35
Description
Ultimately we would like to extend TLS protection to the root filesystem, for instance by supporting NFSROOT with TLS, or by supporting a root filesystem that resides on an NVMe that is protected with TLS. This goal has some special challenges when tlshd uses files that live on the root filesystem that is protected by TLS.
To work around these challenges, it might be possible to place tlshd and authentication material in the initrd, or the AM could placed in non-root storage, such as a TPM. The details need to be worked out, so parking this issue here for further thought and comment.