Re: GRUB and boot partition
- Date: Tue, 26 Dec 2017 12:26:35 +0100
- From: Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>
- Subject: Re: GRUB and boot partition
Le 26/12/2017 à 11:59, tomas@xxxxxxxxxx a écrit :
The only things which might help against an evil maid attack  are:
secure boot (tying your bootable to secure firmware)
Only if you replacy the default keys with your own key in the firmware.
Any signed GRUB provided by Ubuntu, RedHat or openSUSE is accepted by
UEFI secure boot with the default Microsoft key.
your boot media (e.g. SD card) with you, be it Grub+crypto, be it
Grub+kernel+initramfs. Again, not much difference.
As explained in my previous reply, the difference is only in
convenience. You need the boot media to be present and writable when
updating when updating the kernel, initramfs and GRUB config file if
/boot is stored on it. On the other hand, if /boot is stored (and
encrypted) on the main disk, you do not need the boot media to be
present and writable.