You didn't heard me.thats why you need to combine it with secure-boot, so only a correctly signed /boot partition can boot
then unauthorized changes like that just never run
Imagine a setup: a Raspberry Pi, with secure boot enabled and configured, and with an encrypted partition, BUT root partition is unencrypted.
There are plenty scripts to edit there, or even add your own, it isn't hard to add a systemd unit using only access to root partition that is not booted.
So, all one need to do for dumping all the keys from OTP onto that unencrypted root partition is to execute this command
Code:
vcmailbox otp-dump > /all_keys.txt On another note, this is offtopic. My question is how to actually use OTP, preferable without manually written scripts and with configuration for cryptsetup.
Statistics: Posted by Karakurt — Fri May 24, 2024 5:27 am