Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://chaos.social/users/agowa338/statuses/114637021389764412">Klaus Frank (agowa338@chaos.social)'s status on Thursday, 12-Jun-2025 04:07:39 JST</a><a href="https://chaos.social/@agowa338" title="agowa338@chaos.social"><img src="https://gnusocial.jp/avatar/161170-48-20240513030312.webp" width="48" height="48" alt="Klaus Frank" style="position: absolute; left: 0; top: 0;">Klaus Frank</a><div><a href="https://chaos.social/@agowa338/114636960606729291" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/121283" title="bluca@fosstodon.org">bluca</a></li><li><a href="https://gnusocial.jp/user/252638" title="siosm@floss.social">Timothée Ravier</a></li></ul></div></section><article><p><a href="https://fosstodon.org/@bluca">@bluca</a> <a href="https://mastodon.social/@pid_eins">@pid_eins</a> <a href="https://floss.social/@siosm">@siosm</a> <br>In my case these keys are solely protected by the fact that you have to have booted at least once to have the TPM release the key to decrypt the drive.</p><p>The only thread vector that is still valid considering the actual intended audience is how one would ensure against an attacker with root access permissions enrolling their own signing keys, patching the kernel, and re-signing it. But that probably only applies to expert users configurations only anyway...</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5185703#notice-10172335">In conversation</a><time datetime="2025-06-12T04:07:39+09:00" title="Thursday, 12-Jun-2025 04:07:39 JST">about 12 days ago</time> <span>from <span><a href="https://gnusocial.jp/notice/10172335" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/10172335">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Klaus Frank (agowa338@chaos.social)'s status on Thursday, 12-Jun-2025 04:07:39 JSTKlaus Frank
in reply to
@bluca @pid_eins @siosm
In my case these keys are solely protected by the fact that you have to have booted at least once to have the TPM release the key to decrypt the drive.
The only thread vector that is still valid considering the actual intended audience is how one would ensure against an attacker with root access permissions enrolling their own signing keys, patching the kernel, and re-signing it. But that probably only applies to expert users configurations only anyway...
In conversationabout 12 days ago from gnusocial.jppermalink

Public

Embed Notice

HTML Code

Corresponding Notice