[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-factory
Subject:    Re: Disk auto-unlocking with TPM 2.0
From:       Fabian Vogt <fvogt () suse ! de>
Date:       2023-08-24 9:38:50
Message-ID: 4853120.31r3eYUQgx () linux-e202 ! suse ! de
[Download RAW message or body]

Hi,

Am Donnerstag, 24. August 2023, 10:35:16 CEST schrieb Andrei Borzenkov:
> On Thu, Aug 24, 2023 at 11:06 AM Thorsten Kukuk <kukuk@suse.de> wrote:
> >
> > On Thu, Aug 24, Gary Lin via openSUSE Factory wrote:
> >
> > > On Thu, Aug 24, 2023 at 09:01:12AM +0200, Felix Niederwanger wrote:
> > > > See e.g.
> > > > https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/
> >
> > > In the article, the author is using 'systemd-cryptenroll' to secure the
> > > LUKS key with the FIDO2 token. Unfortunately, this only works in the
> > > userspace, i.e. after the linux kernel is loaded, and those FIDO2 tools
> > > are not accessible to grub2.
> >
> > That's why we have:
> > https://en.opensuse.org/Systemd-boot
> 
> I am not sure I understand how it is related. systemd-boot is not user
> space and does not support unlocking because it does not need it - it
> never reads encrypted content. Nothing prevents configuring grub to
> use kernel/initrd from ESP instead of reading it from the encrypted
> container.

This page is also about the plumbing to make this possible, especially with
btrfs snapshots. You can then also use GRUB instead of systemd-boot, even as a
drop-in replacement with the bls/bli integration in GRUB. In fact, this is one
of the options to support legacy boot in the future.

Cheers,
Fabian

> > With the pre-built MicroOS image it should be easy to add FIDO2 support
> > as described in that article.
> > Disadvantage: only UEFI systems are supported.
> 
> On legacy BIOS it would be possible to dedicate an unencrypted
> filesystem to store kernel/initrd similar to ESP if grub is used.
> 
> > systemd-boot support is on the way into yast2-bootloader to make the
> > setup easier, FIDO2 support is on the wishlist, help is always welcome
> > :)
> >
> 
> >   Thorsten
> >
> > --
> > Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies
> > SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany
> > Managing Director: Ivo Totev, Andrew McDonald, Werner Knoblich
> > (HRB 36809, AG Nürnberg)
> 
[prev in list] [next in list] [prev in thread] [next in thread]