7 Mar
2023
7 Mar
'23
12:49
On Tue, Mar 7, 2023 at 2:59 PM Bruno Pitrus <brunopitrus@hotmail.com> wrote:
So you do not want to sign kernel modules at all, correct? But in this case you do not need Secure Boot either, you can unlock LUKS via TPM which fails if measurements change (e.g. someone replaced initrd). Does Dracut support doing so automatically, or is it something i would need to do after every kernel or nvidia update?
This depends on what you put into the dracut generated image. systemd-cryptsetup does support TPM, but then you need something that measures your kernel and initrd - i.e. you would need grub2, sdboot or similar. There was long discussion on forums https://forums.opensuse.org/t/unlocking-of-luks-encrypted-volumes-by-using-t...