Biometric at powerup to unlock LUKS?

Hi Jeff,

thank you for your reply.
I totally agree. It’s a Microsoft monopoly, and with that in the background, it’s actually a miracle how well hardware suppot in Linux works in general, also for devices that were specifically (maliciously?) built with a Windows-only tunnel vision. It’s great that capable people invest so much time in making basically just any device useful in Linux, thereby cheating hardware manufacturers as well as Microsoft. I love this ecosystem for being just that. So I’m not complaining and hopefully didn’t sound like I would.
I would love to contribute but my skills aren’t sufficient for this. So I can only sit there and wonder how Linux feels so much better than Windows in most cases whereas in some it is really lacking hard. Just wondering as the feature I described exists on the dark side since about 2010, and still nothing similar available for Linux.

As far as I understand it, it works like this. Forgive me if this is completely wrong but there isn’t much documentation about the details of this and I might be much too naive to comprehend it entirely:

  • fingerprints are managed by a desktop application / control panel. It was a custom Lenovo piece of software back in the day. As far as I remember, managing fingerprints was not possible in the BIOS. → this management component would need to be added
  • in case the boot-time authentication was activated, the fingerprint data are not only stored in a safe location inside the OS, but also inside the TPM. This allows fingerprint recognition at all times → if not already done, somebody needs to figure out how to make the key data available through the TPM
  • also depending on the activation of boot-time authentication, the system will shut down but leave the fingerprint scanner on → driver support required for this mode, and the fingerprint hardware probably needs some additions, too (eventually some standby hardware and logic needs to be able to read the fingerprint scanner, and validate its actions, and eventually power on the system)
  • once a finger was detected and validated, the system powers on → hardware support required. In case of a Framework laptop, this means the power button is not pushed but only touched (fingerprint sensor is built into that button), but both might be cleverly combined as well
  • in the pre-logon phase, Windows detects that the TPM authenticated the user already, and forwards to the respective desktop environment → logon routines need to look up data that might have been left in the TPM this way
  • in case the system was powered on normally, the logon screen would appear, and fingerprint recognition would be available for any user who registered their fingers previously. An identified fingerprint would immediately log the respective user in, without the need to pick the account first → all fingerprint data needs to be available before anybody logged in

So there’s a lot of work involved but at least it’s proven to be possible.
Storing the fingerprints and processing fingerprint reader actions might have been provided by the Intel Management Engine (ME) instead of the TPM, I’m not sure. Back in the day the ME appeared like a cool feature. And if this functionality requires that ME be activated, I would rather forget about it entirely.

It is clear that Microsoft sit in their own nest and hardware manufacturers are like the birds who build it. This has become more evident than ever in their random choice of CPUs and mainboard features being supported by, or required for Windows 11. A win-win for them as well as the manufacturers, users being their hostages to bear whatever they inflict on them.
I have deliberatly picked a Framework laptop because they claim they love Linux and do their best to support it.
It might be best to talk to them first.

Well, thanks for your input on this. I’ll be patiently waiting.