-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Dec 26, 2017 at 01:47:23PM +0300, Reco wrote: > Hi. > > On Tue, Dec 26, 2017 at 11:36:13AM +0100, [email protected] wrote: > > On Tue, Dec 26, 2017 at 10:42:46AM +0100, Pascal Hambourg wrote: > > > Le 26/12/2017 à 02:47, microsoft gaofei a écrit : > > > >https://wiki.archlinux.org/index.php/GRUB#Boot_partition > > > >ArchWiki has carried an introduction of GRUB , it offers a feature to > > > >decrypt your partitions and you don't need to separate /boot . Debian > > > >also uses GRUB as its boot loader ,but Debian still separates /boot > > > >partition and leave it unencrypted > > > > [...] > > > > > Note however that in any case, the early part of GRUB cannot be > > > encrypted [...] > > > > Is there any inherent advantage to having /boot encrypted? > > Presumably it should help with scenario such as [1].
I don't see that: there must be an unencrypted bit at the beginning to boot and ask for the passphrase. Whether it's Grub's first stage (plus a bit) or it's a kernel plus initramfs, actually, shouldn't make a difference. The only things which might help against an evil maid attack [1] are: secure boot (tying your bootable to secure firmware) [3], or carrying your boot media (e.g. SD card) with you, be it Grub+crypto, be it Grub+kernel+initramfs. Again, not much difference. > But, as [2] shows us, the protection that's offered by encrypted boot is > incomplete as it relies on the fact that the bootloader (GRUB) was not > touched. Seems we are in violent agreement, then :-) I'm not really happy about the path the bootloader has taken, having to understand different file systems, having a module system, etc. Cheers [1] http://searchsecurity.techtarget.com/definition/evil-maid-attack [2] https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html [3] Given the games we've seen Intel play with their Management Engine lately... would you trust them with that secure boot thing? I know wouldn't. And no, AMD ain't better. - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlpCK4YACgkQBcgs9XrR2kYWyQCeK01kZYgaeBxKDC9+0WQNpybr Q1QAn3foaKmg4w4SqAqTmRP+ugX1OZsK =0Qk0 -----END PGP SIGNATURE-----
