On 8/24/23 04:02, Gary Lin via openSUSE Factory wrote:
I do have a question for you: is there any plan to support TPM + a second factor, like a PIN, or HMAC challenge via a security key? Systemd-boot supports this, but I'm assuming the plumbing for something like this would need to be added to Grub.
FIDO2 maybe. It would take some effort to enable FIDO2 support in grub2 though.
LUKS supports unlocking with a Yubikey already, and this should in principle work with any FIDO2 key. See e.g. https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/ I've not done this yet myself, it's still on my bucket list. LUKS supports up to 8 key slots, so it should be possible to have TPM or Yubikey (plus PIN) or a predefined passphrase, in case the TPM breaks and you loose your Yubikey. Sadly only available in German, but an excellent talk on the possibilities of a Yubikey, was done by Florian Winkler at the "Chemnitzer Linux Tage" this year: https://media.ccc.de/v/clt23-148-yubikey-mehr-als-nur-fido2 Best, phoenix