Re: RFC: entering luks password on grub level for devices without keyboards
Am 19.03.20 um 20:57 schrieb John M. Harris Jr: > > If you're drawing a direct comparison to the Fedora boot process from the > Windows process, the point at which Windows is presenting an OSK is about at > the point after which initrd is loaded in the Fedora boot process. It's not > happening at the bootloader itself. > > Further, there is no threading support in GRUB to begin with, nor a GUI > toolkit which could be used for an OSK. > The image shows the Surface OSK which is autoshown by the Surface Bios. Grub does not need to draw the osk itself. It works already, all it needs is a way to have the password asked there and send to plymouth decryptroutine. Best regards, Marius ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Fri, Mar 20, 2020 at 1:50 AM Petr Pisar wrote: > > On Thu, Mar 19, 2020 at 12:59:01PM -0600, Chris Murphy wrote: > > On Thu, Mar 19, 2020 at 11:53 AM Marius Schwarz > > wrote: > > > > > > Am 19.03.20 um 17:11 schrieb Michael Cronenworth: > > > > On 3/19/20 11:04 AM, Marius Schwarz wrote: > > > >> correct and thats the main issue, as long you have grub where you can > > > >> edit the kernel line to start in runlevel 1. > > > >> This makes the encryption null and void. > > > > > > > > Adding a grub password will prevent those without it from editing your > > > > boot parameters. By default you can still boot without the grub > > > > password. Does that help? > > > > > > It would solve a problem. > > > > > > - does it prevent updates ( after booting into rl 5 ) of grub? > > > - where is the passcode stored? > > > > grub.cfg or user.cfg contains the hashed password > > > > https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Password_protection_of_GRUB_menu > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password > > > > But if the attacker has physical access to the computer, they can > > mount /boot/efi or /boot where this file is stored; and remove the > > password requirement. > > Not at all. GRUB code and configuration are protected by TPM measurement. If > an > attacker tampers them, decrypting LUKS will fail on a missing or wrong > passphrase. I wasn't assuming measured boot; but in that case it provides better protection without needing the locked up kiosk setup. But none of this is really easy to setup right now, quite a lot of people have computers without a TPM. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Thu, Mar 19, 2020 at 06:52:52PM +0100, Marius Schwarz wrote: > Am 19.03.20 um 17:11 schrieb Michael Cronenworth: > > On 3/19/20 11:04 AM, Marius Schwarz wrote: > >> correct and thats the main issue, as long you have grub where you can > >> edit the kernel line to start in runlevel 1. > >> This makes the encryption null and void. > > > > Adding a grub password will prevent those without it from editing your > > boot parameters. By default you can still boot without the grub > > password. Does that help? > > It would solve a problem. > > - does it prevent updates ( after booting into rl 5 ) of grub? Yes. Updating GRUB, kernel, and initramdisk requires a physical access (or better said a trusted environment). -- Petr signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Thu, Mar 19, 2020 at 12:59:01PM -0600, Chris Murphy wrote: > On Thu, Mar 19, 2020 at 11:53 AM Marius Schwarz > wrote: > > > > Am 19.03.20 um 17:11 schrieb Michael Cronenworth: > > > On 3/19/20 11:04 AM, Marius Schwarz wrote: > > >> correct and thats the main issue, as long you have grub where you can > > >> edit the kernel line to start in runlevel 1. > > >> This makes the encryption null and void. > > > > > > Adding a grub password will prevent those without it from editing your > > > boot parameters. By default you can still boot without the grub > > > password. Does that help? > > > > It would solve a problem. > > > > - does it prevent updates ( after booting into rl 5 ) of grub? > > - where is the passcode stored? > > grub.cfg or user.cfg contains the hashed password > > https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Password_protection_of_GRUB_menu > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password > > But if the attacker has physical access to the computer, they can > mount /boot/efi or /boot where this file is stored; and remove the > password requirement. Not at all. GRUB code and configuration are protected by TPM measurement. If an attacker tampers them, decrypting LUKS will fail on a missing or wrong passphrase. -- Petr signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Thursday, 19 March 2020 at 19:59, Chris Murphy wrote: [...] > I think what you'd want for the stolen laptop use case is an encrypted > $BOOT, which GRUB does support: > > The first grub.cfg is unencrypted, and provides strictly for unlocking > a LUKS1 (no LUKS2 support yet) $BOOT volume, and then using > 'configfile' command to read a second "real" grub.cfg on the encrypted > $BOOT, which also contains BLS snippets, and kernel+initramfs. Since a > passphrase is required to even read these files, in order to boot the > installed system, I'm not sure it's necessary to also lock down the > command line. (Also, the setup details differ considerably between > UEFI and BIOS.) Could you share the steps to configure the above for UEFI case? I'm interested in such setup, but never had time to try configuring it. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Saturday, March 14, 2020 5:05:11 AM MST Marius Schwarz wrote: > Hi all, > > bevor we start, it is a VERY VERY SPECIAL situation i will talk about > now. It could get fixed by a UNUSUAL approach. > > The device we talk about as an example is the SURFACE PRO Tablet Series > from Microsoft WITH a LUKS encrypted installation on the drive. > > Situation: > > If you encrypt the fedora ( or any ) installation with luks, as > security of a mobile device indicates, you end up without the > possibility to enter the password, when you do not have an in/external > keyboard at hand. > > As tablets do not come with a keypad ( called TypoCover by MS ) by > default, it's not possible to enter the password when Plymouth asks for it. > > There is simply no keyboard available, AND additionally since surface > pro 4+, touch does not work with upstream kernel, so adding an OSK > isn't helping. > > Solution until now: TypeCover or external Keyboard OR no encryption for > the device. > > > ## My Suggestion ## > > MS blends in a very basic keyboard when grub is displayed. I guess it's > for low level repairs when windows fails. The clou is, it gets displayed > and handled by the Surface Bios itself as it seems. > > With the help of this OSK on grublevel, it is possible to use an > (nonexisting yet) envvar or a kernel parameter to pass the password > down to the luks unlock part. (not to forget, to choose a kernel there ;) ) > > ## BENEFITS ## > > This would secure the mobile device and makes it usable as a real > tablet computers should be used. > > It's also a way for other future mobile devices with touchscreens-only, > how they could solve the issue i.e. linux smartphones. > > it gets really interesting as a standard way of how things should work, > when you keep in mind that any mobile bios has already solved touch > support for the device in question, because they have the urge need to > enter the phones bios and do things like "wipe cache" "boot from .." > "test graphics" etc. etc. which is then obviously touchbased. Opening > the already present touchhandling to an OSK on startup as MS did, could > be the way to go for all future touch devices. > > > Your comments on this, please. > > Best regards, > Marius Schwarz If you're drawing a direct comparison to the Fedora boot process from the Windows process, the point at which Windows is presenting an OSK is about at the point after which initrd is loaded in the Fedora boot process. It's not happening at the bootloader itself. Further, there is no threading support in GRUB to begin with, nor a GUI toolkit which could be used for an OSK. -- John M. Harris, Jr. Splentity ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Monday, March 16, 2020 2:15:34 AM MST Marius Schwarz wrote: > Am 16.03.20 um 09:15 schrieb Tomasz Torcz: > > >> I knew someone would bring this up: TMP does not protect your drive, > >> as you could boot with "init=/bin/bash 1" . > >> > >How do you do that WITHOUT KEYBOARD? This thread is about very > > > > specific situation, please do not forget that when generalising. > > > > > > > The Surface Bios is inserting an OSK (only) on the level where grub > operates, so you can choose your kernel and edit your cmd line. > No external keyboard needed at that point. > > Best regards, > Marius Schwarz If you're drawing a direct comparison to the Fedora boot process from the Windows process, the point at which Windows is presenting an OSK is about at the point after which initrd is loaded in the Fedora boot process. It's not happening at the bootloader itself. -- John M. Harris, Jr. signature.asc Description: This is a digitally signed message part. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Thu, Mar 19, 2020 at 11:53 AM Marius Schwarz wrote: > > Am 19.03.20 um 17:11 schrieb Michael Cronenworth: > > On 3/19/20 11:04 AM, Marius Schwarz wrote: > >> correct and thats the main issue, as long you have grub where you can > >> edit the kernel line to start in runlevel 1. > >> This makes the encryption null and void. > > > > Adding a grub password will prevent those without it from editing your > > boot parameters. By default you can still boot without the grub > > password. Does that help? > > It would solve a problem. > > - does it prevent updates ( after booting into rl 5 ) of grub? > - where is the passcode stored? grub.cfg or user.cfg contains the hashed password https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Password_protection_of_GRUB_menu https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password But if the attacker has physical access to the computer, they can mount /boot/efi or /boot where this file is stored; and remove the password requirement. The GRUB password protection workflow protects the kiosk use case, where there is no physical access. Not a stolen laptop. I think what you'd want for the stolen laptop use case is an encrypted $BOOT, which GRUB does support: The first grub.cfg is unencrypted, and provides strictly for unlocking a LUKS1 (no LUKS2 support yet) $BOOT volume, and then using 'configfile' command to read a second "real" grub.cfg on the encrypted $BOOT, which also contains BLS snippets, and kernel+initramfs. Since a passphrase is required to even read these files, in order to boot the installed system, I'm not sure it's necessary to also lock down the command line. (Also, the setup details differ considerably between UEFI and BIOS.) The out of the box UX, whether GRUB edit lockdown or encrypted $BOOT, would be terrible. It requires a sophisticated user to understand, maintain, and troubleshoot such a setup. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
Am 19.03.20 um 17:11 schrieb Michael Cronenworth: > On 3/19/20 11:04 AM, Marius Schwarz wrote: >> correct and thats the main issue, as long you have grub where you can >> edit the kernel line to start in runlevel 1. >> This makes the encryption null and void. > > Adding a grub password will prevent those without it from editing your > boot parameters. By default you can still boot without the grub > password. Does that help? It would solve a problem. - does it prevent updates ( after booting into rl 5 ) of grub? - where is the passcode stored? best regards, Marius ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On 3/19/20 11:04 AM, Marius Schwarz wrote: correct and thats the main issue, as long you have grub where you can edit the kernel line to start in runlevel 1. This makes the encryption null and void. Adding a grub password will prevent those without it from editing your boot parameters. By default you can still boot without the grub password. Does that help? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Thu, Mar 19, 2020 at 05:04:36PM +0100, Marius Schwarz wrote: > Am 19.03.20 um 15:52 schrieb Momčilo Medić: > > > > I'm not familiar with TPM chips, but from what I read here it sounds > > like there would be no password prompt and anyone would be able to boot > > the device, no? > > > > > > correct and thats the main issue, as long you have grub where you can > edit the kernel line to start in runlevel 1. > This makes the encryption null and void. > You can protect the Grub editting with a password. -- Petr signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
Am 19.03.20 um 15:52 schrieb Momčilo Medić: > > I'm not familiar with TPM chips, but from what I read here it sounds > like there would be no password prompt and anyone would be able to boot > the device, no? > > correct and thats the main issue, as long you have grub where you can edit the kernel line to start in runlevel 1. This makes the encryption null and void. best regards, Marius ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Mon, 2020-03-16 at 14:13 -0400, Stephen John Smoogen wrote: > > > On Mon, 16 Mar 2020 at 13:56, Robbie Harwood > wrote: > > Tomasz Torcz writes: > > > > > On Sun, Mar 15, 2020 at 11:12:43PM +0100, Marius Schwarz wrote: > > >> Am 15.03.20 um 13:32 schrieb Vitaly Zaitsev via devel: > > >> > On 14.03.2020 13:05, Marius Schwarz wrote: > > >> >> If you encrypt the fedora ( or any ) installation with luks, > > as > > >> >> security of a mobile device indicates, you end up without the > > >> >> possibility to enter the password, when you do not have an > > in/external > > >> >> keyboard at hand. > > >> > You should use TPM 2.0 LUKS unlock instead of using passwords. > > >> > > > >> I knew someone would bring this up: TMP does not protect your > > drive, > > >> as you could boot with "init=/bin/bash 1" . > > > > > >How do you do that WITHOUT KEYBOARD? This thread is about > > very > > > specific situation, please do not forget that when generalising. > > > > I believe nothing stops someone from simply plugging one in. > > > > And the counter point is that if you can't plug one in, it is not > something that is supported. This is not general purpose hardware but > a set of hardware that is primarily built to run Microsoft Windows by > the vendor. There are going to be limits to what is going to be > possible to get done with it. > > I am a owner of HP Pavilion X2 Detachable[1] which does have a detachable keyboard. Gnome is really a blast to work with on touchscreen devices and I like it more and more. The only thing not functioning in Fedora 32 with latest kernel iswebcam. It is very annoying to have to have keyboard attached for every boot/reboot. I'm only using keyboard when I need to do some serios terminal work or so. I understand that it would require significant effort but, I think that having Plymouth OSK would be perfect. Even if it would be numbers only. I'm not familiar with TPM chips, but from what I read here it sounds like there would be no password prompt and anyone would be able to boot the device, no? [1] https://www8.hp.com/us/en/campaigns/pavilion-x2/overview.html Kind regards, Momo. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Mon, 16 Mar 2020 at 13:56, Robbie Harwood wrote: > Tomasz Torcz writes: > > > On Sun, Mar 15, 2020 at 11:12:43PM +0100, Marius Schwarz wrote: > >> Am 15.03.20 um 13:32 schrieb Vitaly Zaitsev via devel: > >> > On 14.03.2020 13:05, Marius Schwarz wrote: > >> >> If you encrypt the fedora ( or any ) installation with luks, as > >> >> security of a mobile device indicates, you end up without the > >> >> possibility to enter the password, when you do not have an > in/external > >> >> keyboard at hand. > >> > You should use TPM 2.0 LUKS unlock instead of using passwords. > >> > > >> I knew someone would bring this up: TMP does not protect your drive, > >> as you could boot with "init=/bin/bash 1" . > > > >How do you do that WITHOUT KEYBOARD? This thread is about very > > specific situation, please do not forget that when generalising. > > I believe nothing stops someone from simply plugging one in. > > And the counter point is that if you can't plug one in, it is not something that is supported. This is not general purpose hardware but a set of hardware that is primarily built to run Microsoft Windows by the vendor. There are going to be limits to what is going to be possible to get done with it. -- Stephen J Smoogen. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
Tomasz Torcz writes: > On Sun, Mar 15, 2020 at 11:12:43PM +0100, Marius Schwarz wrote: >> Am 15.03.20 um 13:32 schrieb Vitaly Zaitsev via devel: >> > On 14.03.2020 13:05, Marius Schwarz wrote: >> >> If you encrypt the fedora ( or any ) installation with luks, as >> >> security of a mobile device indicates, you end up without the >> >> possibility to enter the password, when you do not have an in/external >> >> keyboard at hand. >> > You should use TPM 2.0 LUKS unlock instead of using passwords. >> > >> I knew someone would bring this up: TMP does not protect your drive, >> as you could boot with "init=/bin/bash 1" . > >How do you do that WITHOUT KEYBOARD? This thread is about very > specific situation, please do not forget that when generalising. I believe nothing stops someone from simply plugging one in. Thanks, --Robbie signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
Am 16.03.20 um 09:15 schrieb Tomasz Torcz: >> I knew someone would bring this up: TMP does not protect your drive, >> as you could boot with "init=/bin/bash 1" . >How do you do that WITHOUT KEYBOARD? This thread is about very > specific situation, please do not forget that when generalising. > The Surface Bios is inserting an OSK (only) on the level where grub operates, so you can choose your kernel and edit your cmd line. No external keyboard needed at that point. Best regards, Marius Schwarz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On Sun, Mar 15, 2020 at 11:12:43PM +0100, Marius Schwarz wrote: > Am 15.03.20 um 13:32 schrieb Vitaly Zaitsev via devel: > > On 14.03.2020 13:05, Marius Schwarz wrote: > >> If you encrypt the fedora ( or any ) installation with luks, as > >> security of a mobile device indicates, you end up without the > >> possibility to enter the password, when you do not have an in/external > >> keyboard at hand. > > You should use TPM 2.0 LUKS unlock instead of using passwords. > > > I knew someone would bring this up: TMP does not protect your drive, > as you could boot with "init=/bin/bash 1" . How do you do that WITHOUT KEYBOARD? This thread is about very specific situation, please do not forget that when generalising. -- Tomasz TorczOnly gods can safely risk perfection, to...@pipebreaker.pl it's a dangerous thing for a man. — Alia ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On 15.03.2020 23:12, Marius Schwarz wrote: > I knew someone would bring this up: TMP does not protect your drive, > as you could boot with "init=/bin/bash 1" You should enable UEFI Secure Boot, create your CA, install systemd-boot and sign it with your CA. TPM 2.0 protect full boot chain using PCR-7. No one can start system from USB stick and unlock your LUKS protection. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
Am 15.03.20 um 13:32 schrieb Vitaly Zaitsev via devel: > On 14.03.2020 13:05, Marius Schwarz wrote: >> If you encrypt the fedora ( or any ) installation with luks, as >> security of a mobile device indicates, you end up without the >> possibility to enter the password, when you do not have an in/external >> keyboard at hand. > You should use TPM 2.0 LUKS unlock instead of using passwords. > I knew someone would bring this up: TMP does not protect your drive, as you could boot with "init=/bin/bash 1" . As long as grub can intercept the boot process TPM is off limits. We had a corresponding security discussion in the SYSTEMD HOMED thread, explaining this. I did not bring this up, if TPM solo would be acceptable ;) Best regards, Marius Schwarz ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On 14.03.2020 13:05, Marius Schwarz wrote: > If you encrypt the fedora ( or any ) installation with luks, as > security of a mobile device indicates, you end up without the > possibility to enter the password, when you do not have an in/external > keyboard at hand. You should use TPM 2.0 LUKS unlock instead of using passwords. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: RFC: entering luks password on grub level for devices without keyboards
On la, 14 maalis 2020, Marius Schwarz wrote: Hi all, bevor we start, it is a VERY VERY SPECIAL situation i will talk about now. It could get fixed by a UNUSUAL approach. The device we talk about as an example is the SURFACE PRO Tablet Series from Microsoft WITH a LUKS encrypted installation on the drive. Situation: If you encrypt the fedora ( or any ) installation with luks, as security of a mobile device indicates, you end up without the possibility to enter the password, when you do not have an in/external keyboard at hand. As tablets do not come with a keypad ( called TypoCover by MS ) by default, it's not possible to enter the password when Plymouth asks for it. There is simply no keyboard available, AND additionally since surface pro 4+, touch does not work with upstream kernel, so adding an OSK isn't helping. Solution until now: TypeCover or external Keyboard OR no encryption for the device. You can set up clevis to use any automated policy you want. For example, clevis supports TPM2 pin which would allow you to bind your LUKS keys to a TPM2 chip in Surface devices. All Windows 10-capable hardware has internal TPM chip, this is true for my Surface Pro 2017. Please see https://blog.dowhile0.org/2017/10/18/automatic-luks-volumes-unlocking-using-a-tpm2-chip/ https://discussion.fedoraproject.org/t/automatic-decrypt-with-tpm2-on-silverblue/8424/2 and https://github.com/latchset/clevis/issues/34#issuecomment-369560587 for more details. With this setup you wouldn't need to use any keyboard to enter your passkey as TPM2 is always present. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
