mortar
linux-secureboot-kit
mortar | linux-secureboot-kit | |
---|---|---|
17 | 1 | |
208 | 66 | |
- | - | |
5.9 | 0.3 | |
5 months ago | over 3 years ago | |
Shell | Shell | |
GNU General Public License v3.0 only | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
mortar
-
WTF is a KDF? A startling revelation from a French prison
Bruteforce of such random password is just not plausible and talks about KDF "weakness" is just a distraction. I think most likely it was evil maid attack.
Here are projects which try to mitigate some of evil maid attack risks:
https://github.com/noahbliss/mortar
https://safeboot.dev/
-
Installation with full-disk, two-factor encryption, secure boot, and TPM
Secure boot and TPM support (à la Mortar: https://github.com/noahbliss/mortar)
-
Complying with the future: Secure Boot and TPM unclocking
There are tools that look to be able to automate it: https://github.com/noahbliss/mortar/blob/master/docs/proxmox-install.md
-
Prevent backup of vTPM2.0 state?
I just went through the process of setting up new ubuntu VM's using full root disk LUKS encryption and auto-unlock via Proxmox's vTPM2.0 and UEFI ( via this extremely helpful resource https://github.com/noahbliss/mortar )
-
tpm2 + luks + ubuntu 18 setup?
I have used this project with Debian+proxmox and it's been working great. https://github.com/noahbliss/mortar but I did read the arch wiki a bit which helped my understanding.
-
What do you don't like about Linux? What is Windows doing better?
There's a project called "mortar" (as in, gluing all these bricks together) that was attempting to simplify this. Though it's lost steam, reading through it's simple bash scripts was a great place to start for me. This guide for Fedora also helped a lot.
-
Authenticated Boot and Disk Encryption on Linux
There have been a number of attempts to solve this problem, but the most complete appear to be Mortar (a project I head) and safeboot.dev
I highly recommend taking a look at either of these projects if you want be able to improve both your convenience through auto unlocking, and security through broadened scope of audit.
https://github.com/noahbliss/mortar
https://safeboot.dev
-
Best Evil Maid prototcol for Linux?
Check out mortar. It uses secure boot and TPM along with LUKS. The creator is super helpful and available on the telegram.
-
Mount encrypted volume at boot?
A more advanced approach would be something like mortar to chain-load signed stuff.
-
Will Proxmox be able to run Windows 11?
There seems to be a workable solution out there for 2.0: https://github.com/noahbliss/mortar/blob/master/docs/proxmox-install.md
linux-secureboot-kit
-
Linux-native TPM-backed Bitlocker
u/Richard__M I am not sure how much you've dug into the architecture of Mortar, but TL;DR it bypasses grub entirely. A friend of mine developed Snawoot/linux-secureboot-kit which leverages grub's GPG capabilities to essentially daisy-chain trust and accomplish the same thing, but ran into frustrations with broken implementations of the feature with some distributions (*ahem* debian). In my opinion, chaining trust also introduces complexity which case lead to security vulnerabilities both from the software being chained, and through "oops" coding trying to get them to play nicely.
What are some alternatives?
sbctl - :computer: :lock: :key: Secure Boot key manager
clevis - Automated Encryption Framework
swtpm - Libtpms-based TPM emulator with socket, character device, and Linux CUSE interface.
safeboot - Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support
TrustedGRUB2 - DEPRECATED TPM enabled GRUB2 Bootloader
solo1 - Solo 1 firmware in C
EMBA - EMBA - The firmware security analyzer
qubes-antievilmaid - Qubes component: antievilmaid
better-initramfs - Small and reliable initramfs solution supporting (remote) rescue shell, lvm, dmcrypt luks, software raid, tuxonice, uswsusp and more.
mkinitcpio - Arch Linux initramfs generation tools (read-only mirror)