[systemd-devel] dm-integrity volume with TPM key?

2021-09-29 Thread Sebastian Wiesner
Hello, "Authenticated Boot and Disk Encryption on Linux" [1] suggests to "make /home/ its own dm-integrity volume with a HMAC, keyed by the TPM" when using systemd-homed for user home directories. I'd like to try that but… how? I can use systemd-cryptenroll to make a encrypted volume with a TPM

Re: [systemd-devel] Authenticated Boot and Disk Encryption on Linux

2021-09-29 Thread Łukasz Stelmach
Hi, Lennart. I read your blog post and there is little I can add regarding encryption/authentication*. However, distributions need to address one more detail, I think. You've mentioned recovery scenarios, but even with an additional set of keys stored securely, there are enough moving parts in

Re: [systemd-devel] [RFC] Switching to OpenSSL 3?

2021-09-29 Thread Luca Boccassi
On Wed, 2021-09-15 at 16:06 +0100, Luca Boccassi wrote: > On Tue, 2021-09-14 at 13:36 +0200, Lennart Poettering wrote: > > Heya! > > > > Some of the systemd developers have been discussing switching > > systemd's crypto libraries to be exclusively OpenSSL 3.0, and drop > > support for older

Re: [systemd-devel] Prefix for direct logging

2021-09-29 Thread Arjun D R
Hi Lennart, Please help me understand how the journald is figuring out the PID of the log line. I believe, with the PID, the journald is able to get the remaining details (process name) from proc fs. I wonder how the journal is able to get the PID of the log contributor as there can be many

Re: [systemd-devel] FDE: UEFI/Secureboot solves main part / missing link is /boot encryption

2021-09-29 Thread Lennart Poettering
On Mi, 29.09.21 12:47, Leon Fauster (leonfaus...@googlemail.com) wrote: > > Encryption is not authentication. > > > > Not sure why you would encrypt your boot loader though? The boot > > loader code is hardly a secret, is it? It's the same for everyone and > > open source. > > > > And with which

Re: [systemd-devel] FDE: UEFI/Secureboot solves main part / missing link is /boot encryption

2021-09-29 Thread Leon Fauster
On 28.09.21 23:13, Lennart Poettering wrote: On Di, 28.09.21 19:44, Leon Fauster (leonfaus...@googlemail.com) wrote: Hallo Lennart, corresponding to your last post about FDE: On an EFI system - would an encrypted "/boot" or /boot on an encrypted "/" filesystem eliminate the mentioned main

Re: [systemd-devel] Prefix for direct logging

2021-09-29 Thread Arjun D R
Hi Lennart, That's a good idea but still I would like to have the prefix as it is in the journal . I understand it is impossible to bypass the journal and expect the direct logging to be the same as journal entries. We can achieve it through socket but still we cannot have the luxurious prefix as