Could link it to a yubikey via pam.d so you need a fingerpress to authenticate.
Physical attestations are hard to solve, I think it would be nice if all TPMs in laptops had this. Then the problem becomes how do you automate stuff that needs to be done.
And then the moment you authenticate, the fake sudo still executes its payload.
Yubikeys do not fix this issue.
Physical attestations are hard to solve, I think it would be nice if all TPMs in laptops had this. Then the problem becomes how do you automate stuff that needs to be done.
And then the moment you authenticate, the fake sudo still executes its payload.
Yubikeys do not fix this issue.