I have some things working
done
encrypted root
personal vault
todo
fix numlock light
librem key
yubikey
smartcard encryrypted root or tpm
smartcard gdm/sddm
smartcard pam
tpm unlock luks2 root
secure boot it turned on which boots signed fedora kernels. tpm is used to unlock the root partition. since my uefi setup is password protected and the tpm shouldn't allow anyone access to the private key used for unlocking i am reasonably safe from attack but not completely.
fedora and ubuntu (debian etc) linux uses a ram filesystem with the krnel (initrd) to boot. the initrd is customized for the local system and cannot be signed with factory shipped (microsoft) keys for secure boot. an attacker could rplace the initrd on my macine if they get physical access.
sssd setup for librem smartcart
install packages
sudo dnf install sssd-tools pcsc-lite pcsc-lite-ccid opensc pcsc-tools p11-kit
next create sssd config
sudo tee /etc/sssd/sssd.conf <<EOF
[sssd]
services = nss, pam
domains = local
[pam]
pam_cert_auth = True
[domain/local]
id_provider = proxy
proxy_lib_name = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
access_provider = permit
EOF
# Set required strict permissions
sudo chmod 600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
sudo restorecon -v /etc/sssd/sssd.conf
# Restart the service to apply changes
sudo systemctl restart sssd
sudo chown -R sssd:sssd /var/log/sssd/
sudo chmod 750 /var/log/sssd/
yubikey
sudo dnf install pam-u2f pamu2fcfg yubikey-manager
i want a pin prompt
ykman fido access change-pin
mkdir -p ~/.config/Yubico
pamu2fcfg --pin-verification > ~/.config/Yubico/u2f_keys