Re: GRUB and boot partition
- Date: Tue, 26 Dec 2017 11:59:18 +0100
- From: <tomas@xxxxxxxxxx>
- Subject: Re: GRUB and boot partition
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Dec 26, 2017 at 01:47:23PM +0300, Reco wrote:
> On Tue, Dec 26, 2017 at 11:36:13AM +0100, tomas@xxxxxxxxxx wrote:
> > On Tue, Dec 26, 2017 at 10:42:46AM +0100, Pascal Hambourg wrote:
> > > Le 26/12/2017 à 02:47, microsoft gaofei a écrit :
> > > >https://wiki.archlinux.org/index.php/GRUB#Boot_partition
> > > >ArchWiki has carried an introduction of GRUB , it offers a feature to decrypt your partitions and you don't need to separate /boot . Debian also uses GRUB as its boot loader ,but Debian still separates /boot partition and leave it unencrypted
> > [...]
> > > Note however that in any case, the early part of GRUB cannot be
> > > encrypted [...]
> > Is there any inherent advantage to having /boot encrypted?
> Presumably it should help with scenario such as .
I don't see that: there must be an unencrypted bit at the beginning
to boot and ask for the passphrase. Whether it's Grub's first stage
(plus a bit) or it's a kernel plus initramfs, actually, shouldn't
make a difference.
The only things which might help against an evil maid attack  are:
secure boot (tying your bootable to secure firmware) , or carrying
your boot media (e.g. SD card) with you, be it Grub+crypto, be it
Grub+kernel+initramfs. Again, not much difference.
> But, as  shows us, the protection that's offered by encrypted boot is
> incomplete as it relies on the fact that the bootloader (GRUB) was not
Seems we are in violent agreement, then :-)
I'm not really happy about the path the bootloader has taken, having to
understand different file systems, having a module system, etc.
 Given the games we've seen Intel play with their Management
Engine lately... would you trust them with that secure boot
thing? I know wouldn't. And no, AMD ain't better.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----