Skip to content

Add physical attackers mitigations

Tallero Tallero requested to merge tallero/archiso:crypto-safeboot into master

It adds support for a dongle buildmode so that install drives put on writable storage devices become equivalent to those put on write-once storage devices.

The dongle does not require the base ISO image to be encrypted to serve its purpose.

Despite this, this branch is based on !217 (closed) and include !268 (closed), so that it will be easier to move the kernel and the initramfs partition on an encrypted partition at a later stage (GRUB supports booting from a LUKS partition).

Solves #189 (closed).



It also needs to be merged into mkinitcpio-archiso and cryptsetup-sigfile (AUR) merged into cryptsetup.


Follow upstream branch.

Edited by Tallero Tallero

Merge request reports