mortar
mortar copied to clipboard
noahbliss
Framework to join Linux's physical security bricks.
By default mortar uses PCRs 1 and 7, but there are some other important PCRs which should get used if handled properly by the BIOS/UEFI. There's just a short note...
I have adapted mortar to be able to decrypt two devices for a dm-raid/btrfs configuration. This is just a proof of concept. I'm running Debian on some older PC with...
Note to self to investigate using the `shred` command if the system has it when we are performing the step 3 stage. Practical risk of not using shred should be...
Debian's Live Installer has changed the way Debian interacts with LUKS volumes. Manjaro similarly uses this technique. It configures the system with an encrypted boot volume and uses Grub to...
Note to self that the community seems to be deprecating sbsign for pesign.
Hello, Is it possible to use a similar structure to support [sedutil](https://github.com/Drive-Trust-Alliance/sedutil) of LUKS? For example, leave ESP partition read-only and unecrypted, and store password required to decrypt locking range...
https://github.com/noahbliss/mortar/blob/452eff8c8dadf84fb94fede6c003e0bb62b4bd4f/3-tpm2clevis-prepluksandinstallhooks.sh#L52 On first run, there is no old key to wipe, this causes cryptsetup to panic. This does not hinder the remaining execution of the script or cause practical malfunction,...
Seems to be required at least for Debian 12 presently or mortar gives errors (unfortunately did not log them, will try to get them when I provision another one for...
I was having issues auto provisioning Secure Boot keys on a debian system using the script, so I tried to manually provision the PK etc. that the script has generated....
Upon failing to write Secure Boot keys, the `2-installsecurebootkeys.sh` script tries to print what it failed to install but instead shows nothing. Test System: - Debian 11, clean install from...