On la, 14 maalis 2020, Marius Schwarz wrote:
Hi all,
bevor we start, it is a VERY VERY SPECIAL situation i will talk about
now. It could get fixed by a UNUSUAL approach.
The device we talk about as an example is the SURFACE PRO Tablet Series
from Microsoft WITH a LUKS encrypted installation on the drive.
Situation:
If you encrypt the fedora ( or any ) installation with luks, as
security of a mobile device indicates, you end up without the
possibility to enter the password, when you do not have an in/external
keyboard at hand.
As tablets do not come with a keypad ( called TypoCover by MS ) by
default, it's not possible to enter the password when Plymouth asks for it.
There is simply no keyboard available, AND additionally since surface
pro 4+, touch does not work with upstream kernel, so adding an OSK
isn't helping.
Solution until now: TypeCover or external Keyboard OR no encryption for
the device.
You can set up clevis to use any automated policy you want. For example,
clevis supports TPM2 pin which would allow you to bind your LUKS keys to
a TPM2 chip in Surface devices. All Windows 10-capable hardware has
internal TPM chip, this is true for my Surface Pro 2017.
Please see
https://blog.dowhile0.org/2017/10/18/automatic-luks-volumes-unlocking-using-a-tpm2-chip/
https://discussion.fedoraproject.org/t/automatic-decrypt-with-tpm2-on-silverblue/8424/2
and https://github.com/latchset/clevis/issues/34#issuecomment-369560587
for more details.
With this setup you wouldn't need to use any keyboard to enter your
passkey as TPM2 is always present.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
