Re: GRUB and boot partition
- Date: Tue, 26 Dec 2017 16:43:44 +0300
- From: Reco <recoverym4n@xxxxxxxxx>
- Subject: Re: GRUB and boot partition
On Tue, Dec 26, 2017 at 02:24:24PM +0100, Pascal Hambourg wrote:
> Le 26/12/2017 à 13:58, Reco a écrit :
> > On Tue, Dec 26, 2017 at 11:59:18AM +0100, tomas@xxxxxxxxxx wrote:
> > > > >
> > > > > Is there any inherent advantage to having /boot encrypted?
> > > The only things which might help against an evil maid attack  are:
> > > secure boot (tying your bootable to secure firmware) ,
> > Restricted Boot (let's call the thing the way it should be called from
> > the start) could've solve this problem *if* it would be possible to
> > force it to verify the bootloader (or the kernel) signed with *user*
> > key.
> I read that some UEFI implementations allow the user to manage secure boot
> keys. Carefully choose your hardware.
I'd use term 'elusive' to describe that kind of UEFI implementation.
Everything that can be bought here (I'm talking about x86 consumer-grade
hardware, of course) respects MSFT signing key only. If you're lucky,
your hardware has CSM (aka BIOS emulation mode).
> Oh, by the way I forgot twice to mention another situation when an encrypted
> /boot would provide an advantage : when the machine has a platform firwmare
> which supports LUKS encryption, such as CoreBoot, then the on-disk boot
> components could be entirely encrypted.
... and about the only trouble you have then is to locate that ThinkPad
x220 (the only relatively modern laptop model that supports CoreBoot
without a hassle I know of). Or a Chromebook if they still but SeaBIOS
If you're preferring conventional desktop PC - you're out of luck with