Web lists-archives.com

Re: GRUB and boot partition




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Dec 26, 2017 at 12:10:52PM +0100, Pascal Hambourg wrote:
> Le 26/12/2017 à 11:36, tomas@xxxxxxxxxx a écrit :
> >
> >On Tue, Dec 26, 2017 at 10:42:46AM +0100, Pascal Hambourg wrote:
> >>Note however that in any case, the early part of GRUB cannot be
> >>encrypted [...]
> >
> >Is there any inherent advantage to having /boot encrypted?
> 
> I can imagine a few situations.
> 
> - When you can enforce the early stage of GRUB integrity by storing
> it on removable or read-only boot media, checking it with trusted
> computing, TPM...
> You could extend this to the whole /boot directory contents instead
> of encrypting it but parts of it such as the kernel image, initramfs
> and grub.cfg change quite often, while GRUB itself seldom changes.
> An alternative to /boot encryption is to sign its contents so that
> GRUB early stage can check the files when loading them.
> 
> - When you need to store sensitive data in /boot, such as
> passphrases for other encrypted volumes.

In the days you measure (small) external media in gigabytes, this
argument has lost a lot of push. My whole boot at the moment is
37M, the smallest SD card I can come up at home is 256M, and we
kicked it out of our point-n-shoot camera because... 4G.

But yes, on some specialized hardware that might make a difference.
FWIW, /boot/grub is 9.1M (yikes! didn't I say I don't like how fat
the boot loader has become? How long until it needs dbus?), which
is an upper bound to the size of grub's "non-unencrypted" part
(dunno by how much).

Small embedded systems tend to have syslinux, though, or whatever
else you use on Arm ;-P

Cheers
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlpCMYMACgkQBcgs9XrR2kYfNQCeLOeymSZxg4nghp+aEzUfmogJ
7HcAniw/ih+7TlWk5aNP21UQeJemAKoH
=Fvh7
-----END PGP SIGNATURE-----