[DOCUMENTATION NEEDED] [REVIEW NEEDED] feat: implement tpm sealed sshd host keys

[slonkazoid]

this allows one to verify cryptographically that the initramfs has NOT been modified, and prevents attackers from doing a MITM attack or inserting a keylogger into the initramfs. the key can not be read without booting the machine, and if you modify the initramfs, the key wont be released.

this implementation is somewhat sloppy, as i just need it for my desktop and server right now. even though it passes the tests, please review thoroughly before merging.

[gsauthof]

Hm, I don't have any experience with tpm and the sealing of files, thus, I can't review it right now.

Is this something that could live orthogonal to dracut-sshd in a separate dracut module?

[slonkazoid]

possible, but i have precisely 0 experience in writing dracut modules or RPMs

…

On Sun, Jan 5, 2025, 17:23 Georg Sauthoff ***@***.***> wrote: Hm, I don't have any experience with tpm and the sealing of files, thus, I can't review it right now. Is this something that could live orthogonal to dracut-sshd in a separate dracut module? — Reply to this email directly, view it on GitHub <#89 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANT4ZCNOJBXST2H73XPN5WL2JE57FAVCNFSM6AAAAABURZBFB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZRGY2DIMBTGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[slonkazoid]

also, you probably want Wants=network.target in sshd.service @gsauthof

edit: this doesnt work

[slonkazoid]

alright, i got it working in a separate module, and published it on my forgejo. thank you!