Question: Can I configure it with coreboot-grub and fulldisk encryption (also /boot)?

[notsungod]

I would like to prevent external evil maid attacks by fulldisk encryption (also /boot) and unlock it with yubikey through grub coreboot. Can someone point me in the right direction how to achieve decrypting /boot with a yubikey? Im sorry if this post is in the wrong section; didnt find discussion tab. Thanks for taking time.

[Vincent43]

That would need grub to support ykfde or yubikey in general which is rather unlikely. Depending on your use case you you may use uki + secure boot instead (storing kernel+initramfs in efi partition signed with secure boot keys and executed directly or through systemd-boot, replacing grub usage).

[notsungod]

Thank you for answering but I will stick with coreboot/libreboot and try to find a solution adding ykfde to bios chip.

[notsungod]

That would need grub to support ykfde or yubikey in general which is rather unlikely. Depending on your use case you you may use uki + secure boot instead (storing kernel+initramfs in efi partition signed with secure boot keys and executed directly or through systemd-boot, replacing grub usage).

Would you have an idea how to implement ykfde into grub shell?

[Vincent43]

No, I'm not familiar with grub scripting. Beside ykfde you would need also yubikey-personalization support which ykfde depends on so this is really nontrivial to achieve.

[notsungod]

No, I'm not familiar with grub scripting. Beside ykfde you would need also yubikey-personalization support which ykfde depends on so this is really nontrivial to achieve.

Okay I found a solution for MY usecase which is rather simple and does not require the ykfde tool. What i do is have the partition encrypted with a passphrase that is combined with my own password and a yubikey static password that ends with enter. So when grub prompts for passphrase i type in my password and press button on yubikey to unlock the partition. Pretty simple yet fairly effective imo. Thank you for answering Vincent