Moin :-) Am Mittwoch, 1. Dezember 2021, 08:29:08 CET schrieb Fabian Vogt:
Am Montag, 29. November 2021, 23:07:56 CET schrieb ub22@gmx.net:
OK, is correct (sowing 2). But this don't help due to the security restriction> :-(
It's being worked on. https://www.youtube.com/watch?v=C58WLY7FvYk explains some potential approaches.
Very interesting :-) many thanks
Until seamless update handling is implemented, you can handle it manually by also sealing against PCRs 8 and 9, i.e. passing --tpm2-pcrs=7+8+9 (or even 0+1+2+4+5+7+8+9) to systemd-cryptenroll. That way the TPM will only unseal the secret if grub/kernel/initrd etc. match exactly. On updates, you'll have to enter the passphrase manually and run systemd-cryptenroll again.
In the moment for my Notebook I dayly use, it is to risky for me ;-) So I stay with your first proposal | See https://en.opensuse.org/ SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice |to avoid the second entry. The first is still done with the wrong keyboard |layout though. Which I fixed with adding an additional passwort with QWERTY keybord ;-) Looking forward to be able to use the Nitrokey 3 to enable the grub2 passwort entrie.
The other files in /boot (e.g. sysctl.conf) could still be modified without noticing, which can be avoided by placing necessary files on the EFI partition and leaving /boot encrypted.
OK. Ulf