-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2017-12-04 at 08:49 -0600, listreader wrote:
On Sun, 3 Dec 2017 18:47:03 +0100 Richard Brown <RBrownCCB@opensuse.org> wrote:
My question to you, and to Greg F who also apparently has experience with these things, is: these come with hardware encryption. How does that work with linux, specifically openSUSE of course. Can you boot 42.3 off a hardware encrypted NVMe? If so, anything special need to be done to permit said booting?
I haven't used it much myself - all of the production nvme openqa.opensuse.org workers (which were/are Leap 42.2/3) didn't use the feature - We don't want to enter passwords when we're rebooting them.
However I did my homework and currently the commonly believed 'best' way of using the hardware encryption is by using the support (if your BIOS has it) for unlocking it in and with the BIOS
That way, when the BIOS is loading, it unlocks the device, and from that point on Linux we see and use the device just like a regular nvme (which is pretty much seen the same as a regular disk, just with a funny naming convention, eg /dev/nvme0n1p1)
There are embryonic efforts for userspace and kernel tooling to enable the control and use of the hardware encrypted nvme support without needing to rely on BIOS support. I believe we have the kernel support in our kernels, I do not believe we have the userspace tooling packaged anywhere.
But, given the tooling would require the disabling of SecureBoot, which actually does a good job of ensuring your boot process hasn't been tampered with, a solution using this software would arguably have a wider attack service than the BIOS unlock or the more generic dm-crypt/luks option with SecureBoot we already support in our openSUSE Packages.
Thanks for that info. I don't see anything in this BIOS relevant to booting from an NVMe, whether encrypted or not, but that's possibly because there's no NVMe currently installed thus no need to display options.
You would see encryption in your normal disks.
I pulled out Thunderbolt board; options for Thunderbolt in the BIOS disappeared, possibly same factor in play with the NVMe.
'opensuse-secureboot' (yes, that's what it says in this BIOS, not 'openSUSE-secureboot' ;-) works fine on this machine with three LUKS partitions but I don't boot from LUKS. That's the reason for my original question. Bootable encryption would be interesting to have.
It is currently possible in openSUSE from Yast with LVM setups. There is work in progress to do it without LVM as well. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlolli0ACgkQtTMYHG2NR9WH6ACgg80y+D/t4RI/d7g21WGoObWw hnEAn3CFZx0VWK9hg91nerruD0E8vh82 =hkMR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org