On Wed, Mar 05, 2014 at 06:11:35PM -0300, Giancarlo Razzolini wrote: > > > I'm not trying to protect anything. Physical access almost always > means game over. There could be some work on the area of trusted > booting, using TPM chips, but this is another beast entirely. > > I'm trying to be able to remote unlock my full disk encrypted > OpenBSD installation in a way that the keystrokes can't be intercepted > in the wire. There is already a protocol for this, which is ssh. The > trick is to have it working in the boot process.
you could try to reproduce the Linux initramfs configuration with a bsd.rd (the installer) like setup to launch an ssh server unlock you real root. But OpenBSD is missing the pivot_root system call, so you'll need to implement it. Other tricks (like just chrooting into the real root fs) will produce more or less frankenstein systems that wont reboot cleanly or may exhibit other unexpected behaviours. -- Matthieu Herrb
