On Thu, Aug 24, 2023 at 09:01:12AM +0200, Felix Niederwanger wrote:
On 8/24/23 04:02, Gary Lin via openSUSE Factory wrote:
I do have a question for you: is there any plan to support TPM + a second factor, like a PIN, or HMAC challenge via a security key? Systemd-boot supports this, but I'm assuming the plumbing for something like this would need to be added to Grub.
FIDO2 maybe. It would take some effort to enable FIDO2 support in grub2 though.
LUKS supports unlocking with a Yubikey already, and this should in principle work with any FIDO2 key.
See e.g. https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/
I've not done this yet myself, it's still on my bucket list. LUKS supports up to 8 key slots, so it should be possible to have TPM or Yubikey (plus PIN) or a predefined passphrase, in case the TPM breaks and you loose your Yubikey.
In the article, the author is using 'systemd-cryptenroll' to secure the LUKS key with the FIDO2 token. Unfortunately, this only works in the userspace, i.e. after the linux kernel is loaded, and those FIDO2 tools are not accessible to grub2. Gary Lin
Sadly only available in German, but an excellent talk on the possibilities of a Yubikey, was done by Florian Winkler at the "Chemnitzer Linux Tage" this year:
https://media.ccc.de/v/clt23-148-yubikey-mehr-als-nur-fido2
Best, phoenix