Re: RFC: entering luks password on grub level for devices without keyboards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On la, 14 maalis 2020, Marius Schwarz wrote:

Hi all,

bevor we start, it is a VERY VERY SPECIAL situation i will talk about
now. It could get fixed by a UNUSUAL approach.

The device we talk about as an example is the SURFACE PRO Tablet Series
from Microsoft WITH a LUKS encrypted installation on the drive.

Situation:

If you encrypt  the fedora ( or any ) installation with luks, as
security of a mobile device indicates, you end up without the
possibility to enter the password, when you do not have an in/external
keyboard at hand.

As tablets do not come with a keypad ( called TypoCover by MS ) by
default, it's not possible to enter the password when Plymouth asks for it.

There is simply no keyboard available, AND additionally since surface
pro 4+,  touch does not work with upstream kernel, so adding an OSK
isn't helping.

Solution until now: TypeCover or external Keyboard OR no encryption for
the device.


You can set up clevis to use any automated policy you want. For example,
clevis supports TPM2 pin which would allow you to bind your LUKS keys to
a TPM2 chip in Surface devices. All Windows 10-capable hardware has
internal TPM chip, this is true for my Surface Pro 2017.

Please see
https://blog.dowhile0.org/2017/10/18/automatic-luks-volumes-unlocking-using-a-tpm2-chip/
https://discussion.fedoraproject.org/t/automatic-decrypt-with-tpm2-on-silverblue/8424/2
and https://github.com/latchset/clevis/issues/34#issuecomment-369560587
for more details.

With this setup you wouldn't need to use any keyboard to enter your
passkey as TPM2 is always present.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux