Re: Read-protected UEFI variables

2018-02-19 Thread Alan Cox
> If the UEFI is as secure as storing an unencrypted file on a hard > drive, I am satisfied. Or do you have a better idea where to store the > SSH keys for a diskless system that boots via network? Store them in the TPM ? If you are booting over a network and not doing some kind of TPM based trus

Re: Read-protected UEFI variables

2018-02-15 Thread Ard Biesheuvel
FYI https://marc.info/?l=linux-efi&m=151871896117989&w=2 On 14 February 2018 at 20:33, Austin S. Hemmelgarn wrote: > On 2018-02-14 08:21, Benjamin Drung wrote: >> >> Am Mittwoch, den 14.02.2018, 13:09 + schrieb Ard Biesheuvel: >>> >>> On 14 February 2018 at 12:52, Benjamin Drung >>> wrote:

Re: Read-protected UEFI variables

2018-02-14 Thread Austin S. Hemmelgarn
On 2018-02-14 08:21, Benjamin Drung wrote: Am Mittwoch, den 14.02.2018, 13:09 + schrieb Ard Biesheuvel: On 14 February 2018 at 12:52, Benjamin Drung wrote: Hi, I am exploring the possibility to store SSH and other keys in UEFI variables for systems that do not have persistent storage. The

Re: Read-protected UEFI variables

2018-02-14 Thread Benjamin Drung
Am Mittwoch, den 14.02.2018, 19:18 +0100 schrieb Môshe van der Sterre: > On 02/14/2018 02:21 PM, Benjamin Drung wrote: > > If the UEFI is as secure as storing an unencrypted file on a hard > > drive, I am satisfied. Or do you have a better idea where to store > > the > > SSH keys for a diskless sys

Re: Read-protected UEFI variables

2018-02-14 Thread Môshe van der Sterre
On 02/14/2018 02:21 PM, Benjamin Drung wrote: > If the UEFI is as secure as storing an unencrypted file on a hard > drive, I am satisfied. Or do you have a better idea where to store the > SSH keys for a diskless system that boots via network? I assume it would be best to use TPM for this (if your

Re: Read-protected UEFI variables

2018-02-14 Thread Benjamin Drung
Am Mittwoch, den 14.02.2018, 13:09 + schrieb Ard Biesheuvel: > On 14 February 2018 at 12:52, Benjamin Drung > wrote: > > Hi, > > > > I am exploring the possibility to store SSH and other keys in UEFI > > variables for systems that do not have persistent storage. These > > systems boot via net

Re: Read-protected UEFI variables

2018-02-14 Thread Ard Biesheuvel
On 14 February 2018 at 12:52, Benjamin Drung wrote: > Hi, > > I am exploring the possibility to store SSH and other keys in UEFI > variables for systems that do not have persistent storage. These > systems boot via network and need individual SSH keys which ideally > should not be distributed via