Web lists-archives.com

Re: GRUB and boot partition

Le 26/12/2017 à 11:59, tomas@xxxxxxxxxx a écrit :

The only things which might help against an evil maid attack [1] are:
secure boot (tying your bootable to secure firmware)

Only if you replacy the default keys with your own key in the firmware. Any signed GRUB provided by Ubuntu, RedHat or openSUSE is accepted by UEFI secure boot with the default Microsoft key.

or carrying
your boot media (e.g. SD card) with you, be it Grub+crypto, be it
Grub+kernel+initramfs. Again, not much difference.

As explained in my previous reply, the difference is only in convenience. You need the boot media to be present and writable when updating when updating the kernel, initramfs and GRUB config file if /boot is stored on it. On the other hand, if /boot is stored (and encrypted) on the main disk, you do not need the boot media to be present and writable.