thats why you need to combine it with secure-boot, so only a correctly signed /boot partition can bootBut that is exactly the script I see as a problem: grab it off the github, add to unencrypted root partition with some pointer to execute it and you successfuly read keys needed for decryption.
then unauthorized changes like that just never run
on re-reading that, yeah, its basically saying every model lacks a secure key storeThe script says "IMPORTANT: Raspberry Pi 5 and earlier revisions do not have a hardware secure key store." though?for the pi5, the comments claim it goes into a proper secure key store, but i havent been able to verify anything on how secure it is
so why did they even bother mentioning the 5??
why mention secure key store at all??
Statistics: Posted by cleverca22 — Thu May 23, 2024 10:53 pm