Hi there,
I have bought a Lenovo Legion Go which I would like to use with Jovian Nixos, FDE and Lanzaboote.
The device does not have a keyboard, though.
Therefore I want to use unl0kr to get an On-screen keyboard for entering the LUKS password. But sadly the options for unl0kr only work with systemd-boot, not lanzaboote. Now I am stuck on how I could combine unl0kr with lanzaboote to achieve secure boot+FDE for this tablet device.
Any help appreciated!
Seeing how lanzaboote uses systemd-boot as its backend, I don’t see any reason this couldn’t work. The main issue is getting the module to work with lanzaboote, which maybe the lanzaboote folks have better input on. It does seem like something useful to provide in lanzaboote or upstream to unl0kr nixpkgs.
In the meantime, if you’ve got a yubikey, I’d enroll that instead. Or if you want you can use TPM unlock as a stopgap so you can easily switch to password or password+tpm when you get the on screen keyboard working. Last time I did this, TPM and Yubikey/fido2 decrypt on lanzaboote was pretty much exactly the same as on arch Linux with cryptsetup.
Hi thanks for your reply.
For reference I’ve found that the unl0kr module works fine with lanzaboote after I copied its sources to my configuration and removed the assertion.
But my device hangs on boot afterwards because of an i2c_designware kernel error in stage 1. Therefore, I’ll stick to tpm unlock for now.