From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <arno@wagner.name>
Received: from v1.tansi.org (mail.tansi.org [84.19.178.47])
 by mail.server123.net (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Sun, 21 Jun 2020 01:53:27 +0200 (CEST)
Received: from gatewagner.dyndns.org (81-6-44-245.init7.net [81.6.44.245])
 by v1.tansi.org (Postfix) with ESMTPA id 75EAD1400D2
 for <dm-crypt@saout.de>; Sun, 21 Jun 2020 01:53:25 +0200 (CEST)
Date: Sun, 21 Jun 2020 01:53:26 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20200620235326.GA23718@tansi.org>
References: <455a1ea8-550c-9259-3a6c-7a945b3b005e@gmx.de>
 <20200620061031.GA13611@tansi.org>
 <8b38a6cf-3b39-9c08-2b0f-d3a3a22f1352@gmx.de>
 <20200620094602.GA16098@tansi.org>
 <800292998.974117.1592673992765@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <800292998.974117.1592673992765@mail.yahoo.com>
Subject: Re: [dm-crypt] FAQ 2.2 Scenario (1) - clarification concerning
 "encrypted root"
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

This critically depends on the initrd being non-manipulated.
Of course, you cannot use the initrd to verify a signature=20
on the initrd securely ...

Regards,
Arno

On Sat, Jun 20, 2020 at 19:26:32 CEST, JT Mor=E9e wrote:
> I'm working through a setup right now and documenting at
> https://sites.google.com/site/jtmoree/knowledge-base/smart-cards-and-linu=
x/kubuntu-20-04
>=20
> I am using the smartcard to unlock root during the boot process.=A0 this =
is
> done by the kernel and initrd using out of the box tools and processes.=A0
>=20
> in this setup /boot is in the clear and I have some ideas for signing the
> kernel+initrd with the smart card, then verifying on boot.=A0 will update
> the link if I get that working.
>=20

--=20
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of=20
"news" is "something that hardly ever happens." -- Bruce Schneier