From 11bd572adf4a861e4c42123c2dadbacd3349af93 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Tue, 23 Dec 2014 18:25:17 +0100
Subject: support updating the challenge on boot

---
 README.md | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 6f47e94..2380003 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ To compile and use yubico full disk encryption you need:
 * [mkinitcpio](https://projects.archlinux.org/mkinitcpio.git/) (Though
   it may be easy to port this to any initramfs that uses systemd)
 * [markdown](http://daringfireball.net/projects/markdown/) (HTML documentation)
+* [libarchive](http://www.libarchive.org/) (Update challenge on boot)
 
 Additionally it is expected to have `make` and `pkg-config` around to
 successfully compile.
@@ -64,24 +65,36 @@ After that run:
 > ykfde
 
 This will store a challenge in `/etc/ykfde.d/` and add a new slot to
-your LUKS device. Last add `ykfde` to your hook list in
-`/etc/mkinitcpio.conf` and rebuild your initramfs with:
+your LUKS device. Now you have two choices:
+
+### `ykfde` hook
+
+Last add `ykfde` to your hook list in `/etc/mkinitcpio.conf` and rebuild
+your initramfs with:
 
 > mkinitcpio -p linux
 
 Reboot and have fun!
 
+### `ykfde-cpio` hook
+
+Add `ykfde-cpio` to your hook list in `/etc/mkinitcpio.conf` and rebuild
+your initramfs with:
+
+> mkinitcpio -p linux
+
+Additionally enable `systemd` service `ykfde-cpio.service` and make your
+bootloader load the new `cpio` image `/boot/ykfde-challenges.img` (in
+addition to your usual initramfs).
+
+Reboot and have fun!
+
 Limitation / TODO
 -----------------
 
 * At the moment this is specific to Arch Linux. Though everything should
   run with upstream `systemd` just fine anybody has to hook things up with
   [dracut](https://dracut.wiki.kernel.org/) or whatever.
-* The challenge is not updated on boot. The file is accessible read only in
-  initramfs, but we have no easy way to write it to persistant storage.
-  So probably this is a design limitation... However the install hook does
-  update the challenge when building a new initramfs and and Yubikey is
-  inserted.
 
 ### Upstream
 
-- 
cgit v1.2.3-54-g00ecf