Re: GRUB and boot partition
- Date: Tue, 26 Dec 2017 14:24:24 +0100
- From: Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>
- Subject: Re: GRUB and boot partition
Le 26/12/2017 à 13:58, Reco a écrit :
On Tue, Dec 26, 2017 at 11:59:18AM +0100, tomas@xxxxxxxxxx wrote:
Is there any inherent advantage to having /boot encrypted?
The only things which might help against an evil maid attack  are:
secure boot (tying your bootable to secure firmware) ,
Restricted Boot (let's call the thing the way it should be called from
the start) could've solve this problem *if* it would be possible to
force it to verify the bootloader (or the kernel) signed with *user*
I read that some UEFI implementations allow the user to manage secure
boot keys. Carefully choose your hardware.
Oh, by the way I forgot twice to mention another situation when an
encrypted /boot would provide an advantage : when the machine has a
platform firwmare which supports LUKS encryption, such as CoreBoot, then
the on-disk boot components could be entirely encrypted.