Arch Linux

bananabrain

Member

From: England

Registered: 2010-05-07

Posts: 78

Remote system unlocking using TinySSH

Evening,

I've been trying to configure remote unlocking of a luks encrypted machine running netconf and tinyssh hooks as described here:

https://wiki.archlinux.org/index.php/Dm … yssh,_ppp)

The machine has a single SSD...

# gdisk -l /dev/nvme0n1

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         2099199   1024.0 MiB  EF00  
   2         2099200       500118158   237.5 GiB   8309

Partition 1 is the efi system partition mounted at /boot.
Partition 2 is an lvm container...

# pvs
  PV              VG  Fmt  Attr PSize    PFree
  /dev/mapper/lvm vg0 lvm2 a--  <237.46g    0

# vgs
  VG  #PV #LV #SN Attr   VSize    VFree
  vg0   1   3   0 wz--n- <237.46g    0

# lvs
  LV    VG  Attr       LSize    Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  home  vg0 -wi-ao---- <209.46g                                                    
  root  vg0 -wi-ao----   20.00g                                                    
  swap  vg0 -wi-ao----    8.00g

No boot loader. Machine boots directly through efistub.
Boot line written to efi firmware like this...

efibootmgr -d /dev/nvme0n1 -p 1 -c -L "arch-zen" -l /vmlinuz-linux-zen -u "cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:lvm root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx rw initrd=/intel-ucode.img initrd=/initramfs-linux-zen.img net.ifnames=0"

My question is about how to configure the pre-boot network interface.

Is it enough just to stick...

ip=:::::eth0:dhcp

...onto the end of that efibootmgr line?

Normally I just experiment with these things but I don't fancy struggling to recover an unbootable system.

Also, there seems to be a bit of missing information regarding tinyssh. Where do the public keys go? Wiki implies ~/.ssh/, tinyssh site says /etc/tinyssh/root_key. Confused.

Thanks for any advice offered.

Phil

Last edited by bananabrain (2020-11-16 04:21:56)