Hello,

In the case you haven't seen this on the factory mailing list: since this week we have images for openSUSE MicroOS with full disk encryption using either a TPM chip or a Fido2 key.

Regards,
Thorsten
---------- Forwarded message ---------
From: aplanas <aplanas@suse.de>
Date: Thu, Dec 21, 2023 at 1:47 PM
Subject: systemd-based FDE in MicroOS / Tumbleweed
To: <openSUSE-Factory@opensuse.org>


Hi,

Some months ago we announced the support of systemd-boot in MicroOS and
in Tumbleweed, using a new tool named sdbootutil, that help us to
synchronize the boot loader entries with available snapshots in the
system.

Today we announce that we supporting the full disk encryption (FDE)
tools that systemd bring us via systemd-cryptenroll or cryptsetup. We
extended the pcr-oracle to support new PCRs and the generation of
authorized policies in JSON format for systemd

With this we also propose a new architecture in the distribution that
allows the enrollment of the TPM2 (with full measured boot attestation)
and the FIDO2 key, using the already available systemd user tools.

The MicroOS image[0] was also extended to show all this nice features
working together.

The long (sorry, maybe too long) explanation is in the news-o-o blog
post[1], and the technical details are in the openSUSE Systemd-fde wiki
page[2].

Feedback is more than welcome!

... also happy holidays, end of the year and beginning of 2024!

[0]
http://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2
[1] https://news.opensuse.org/2023/12/20/systemd-fde/
[2] https://en.opensuse.org/Systemd-fde


--
Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany
Managing Director: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)