Re: Read-protected UEFI variables

From: MÃshe van der Sterre
Date: Wed Feb 14 2018 - 13:25:52 EST

Next message: Kirill A. Shutemov: "[PATCH 8/9] x86/mm: Replace compile-time checks for 5-level with runtime-time"
Previous message: Dominik Brodowski: "[RFC PATCH 2/4] x86/entry/64: move ENTER_IRQ_STACK from interrupt macro to helper function"
In reply to: Benjamin Drung: "Re: Read-protected UEFI variables"
Next in thread: Benjamin Drung: "Re: Read-protected UEFI variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02/14/2018 02:21 PM, Benjamin Drung wrote:
> If the UEFI is as secure as storing an unencrypted file on a hard
> drive, I am satisfied. Or do you have a better idea where to store the
> SSH keys for a diskless system that boots via network?
I assume it would be best to use TPM for this (if your systems have TPM chips), it is designed for use-cases like this. Searching for "tpm ssh keys" gives a decent amount of results. Mostly targeted at user keys instead of server keys, so this might need some tinkering to get working.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Next message: Kirill A. Shutemov: "[PATCH 8/9] x86/mm: Replace compile-time checks for 5-level with runtime-time"
Previous message: Dominik Brodowski: "[RFC PATCH 2/4] x86/entry/64: move ENTER_IRQ_STACK from interrupt macro to helper function"
In reply to: Benjamin Drung: "Re: Read-protected UEFI variables"
Next in thread: Benjamin Drung: "Re: Read-protected UEFI variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]