Pre-Boot Authentication with Smartcard
59 views
Skip to first unread message
mariog...@gmail.com
Dec 1, 2016, 10:29:45 AM12/1/16
to qubes-devel
In my opinion this feature would be a good idea to be implemented.
Personally i did not get this running, but maybe someone with more experience in Dracut/GPG can do it?
https://github.com/dracutdevs/dracut/pull/80
Personally i did not get this running, but maybe someone with more experience in Dracut/GPG can do it?
https://github.com/dracutdevs/dracut/pull/80
Trammell Hudson
Dec 1, 2016, 10:41:11 AM12/1/16
to mariog...@gmail.com, qubes-devel
On Thu, Dec 01, 2016 at 07:27:52AM -0800, mariog...@gmail.com wrote:
> In my opinion this feature would be a good idea to be implemented.
> [...]
> In my opinion this feature would be a good idea to be implemented.
> https://github.com/dracutdevs/dracut/pull/80
I have something similar working with my Heads bootloader -- it unseals
and decrypts the keys with either the TPM or a GPG card and inserts
them into the initrd for the Qubes dom0, but am hesitant about the
smartcard support since this expands the attack surface of the early
runtime environment to have USB device drivers loaded.
Something that I would really like to figure out how to make work is to
have the S3 resume script retrieve keys from the TPM or GPG card so that
the kernel can dump the disk keys before going to sleep.
--
Trammell
Reply all
Reply to author
Forward
0 new messages