Hey! I’m currently on Fedora Workstation and I’m getting bored. Nothing in particular. I’ve heard about immutable distros and I’m thinking about Fedora Kinoite. The idea is interesting but idk if it’s worth it. CPU and GPU are AMD. Mostly used for gaming.
I'm not sure what you mean exactly but I use Silverblue with secureboot on and a LUKS encrypted drive using a fido2 key. To my knowledge I also could configure the use of TPM to store my key but find that setup not to my liking.
This summary should cover my main concerns with current secure boot implementations on the major distros. Ignore everything else other the linked part. I also would not want to be forced to use grub as the bootloader.
Curious. What did you not like about using TPM to store keys in your setup? I use TPM for secure state validation & automatic decryption of my LUKS drive, it's great and also acts as a tripwire for secureboot state.
I could build a custom version of Silverblue (u-Blue) to replicate what I already have setup, but none of this would be supported configuration. All this is not entirely to blame on on immutable distros (traditional distros don't give a damn about secure boot either way), just that to mess around within /etc is a no-no in such a model so to get multiple pre-configured options for secureboot configs/keys that work seamlessly would be a great experience for me.
My (maybe flawed?) thoughts: Why bother with full disk encryption if one could just boot the notebook to undo the encryption?
Using my yubico fido 2 key in combination with a small PIN I can easily decrypt my LUKS drive and know nobody else can decrypt it as long as I have my yubico with me.
What do you think of this?
If it were that easy to do, we wouldn't have even bothered with doing disk encryption in the first place. And it's not like cracking TPMs is a walk in the park.
This definitely could help in a scenario where an attacker has only your notebook but for it to make a difference your attacker must not be able to access your Yubikey and/or compel you to hand it over.
As long as your LUKS drive is encrypted (TPM or not, Yubikey or not), you are relatively safe from an unauthorized party trying to access your data. Either of these attestation tools add a layer of defense for your encrypted drive.