Hi, Am Donnerstag, 24. August 2023, 10:35:16 CEST schrieb Andrei Borzenkov:
On Thu, Aug 24, 2023 at 11:06 AM Thorsten Kukuk <kukuk@suse.de> wrote:
On Thu, Aug 24, Gary Lin via openSUSE Factory wrote:
On Thu, Aug 24, 2023 at 09:01:12AM +0200, Felix Niederwanger wrote:
See e.g. https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/
In the article, the author is using 'systemd-cryptenroll' to secure the LUKS key with the FIDO2 token. Unfortunately, this only works in the userspace, i.e. after the linux kernel is loaded, and those FIDO2 tools are not accessible to grub2.
That's why we have: https://en.opensuse.org/Systemd-boot
I am not sure I understand how it is related. systemd-boot is not user space and does not support unlocking because it does not need it - it never reads encrypted content. Nothing prevents configuring grub to use kernel/initrd from ESP instead of reading it from the encrypted container.
This page is also about the plumbing to make this possible, especially with btrfs snapshots. You can then also use GRUB instead of systemd-boot, even as a drop-in replacement with the bls/bli integration in GRUB. In fact, this is one of the options to support legacy boot in the future. Cheers, Fabian
With the pre-built MicroOS image it should be easy to add FIDO2 support as described in that article. Disadvantage: only UEFI systems are supported.
On legacy BIOS it would be possible to dedicate an unencrypted filesystem to store kernel/initrd similar to ESP if grub is used.
systemd-boot support is on the way into yast2-bootloader to make the setup easier, FIDO2 support is on the wishlist, help is always welcome :)
Thorsten
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Managing Director: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)