**MOVED TO @haskal@types.pl** @haskal@cybre.space · May 30, 2020, 09:31

**MOVED TO @haskal@types.pl** @haskal@cybre.space · May 30, 2020, 09:31

MOVED TO @haskal@types.pl @haskal@cybre.space

May 30, 2020, 09:31

MOVED TO @haskal@types.pl @haskal@cybre.space

also some distro _please_ enable kernel module signing why is this not enabled anywhere

**‍fuchsiaaaaaaaaaaaaaaaaa** @f0x@pixie.town · 2020-05-30T09:37:24Z

‍fuchsiaaaaaaaaaaaaaaaaa @f0x@pixie.town

@haskal i think fedora does this?
"The Fedora distribution includes signed boot loaders, signed kernels, and signed kernel modules."
https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html

May 30, 2020, 09:37 · · · ·

**MOVED TO @haskal@types.pl** @haskal@cybre.space · May 30, 2020, 09:38

**MOVED TO @haskal@types.pl** @haskal@cybre.space · May 30, 2020, 09:38

May 30, 2020, 09:38

MOVED TO @haskal@types.pl @haskal@cybre.space

@f0x ah, this is good at least

**warez-wolfie** @doubleDensity@snouts.online · May 30, 2020, 09:42

**warez-wolfie** @doubleDensity@snouts.online · May 30, 2020, 09:42

May 30, 2020, 09:42

warez-wolfie @doubleDensity@snouts.online

@haskal @f0x with libre/coreboot computers, one is able to decrypt the LUKS volume at boot, then check the kernel and initramfs against a keysig. The LUKS decryption key can be supplied on a USB key, best practice is to use a dump file of /dev/{u}random.

That's the best answer that I've got with my use case.

**warez-wolfie** @doubleDensity@snouts.online · May 30, 2020, 09:48

**warez-wolfie** @doubleDensity@snouts.online · May 30, 2020, 09:48

May 30, 2020, 09:48

warez-wolfie @doubleDensity@snouts.online

@haskal @f0x this would leave one attack vector: someone taking your laptop apart and flashing it via SPI hardware, and then reassembling it for you to log in with

If your threat model includes that scenario, you may have bigger issues. :P

Resources

Developers

What is Mastodon?

pixie.town

More…