On Wed, Apr 3, 2019 at 2:58 AM Dominik 'Rathann' Mierzejewski <domi...@greysector.net> wrote: > > On Thursday, 28 March 2019 at 17:30, Ben Cotton wrote: > > On Mon, Mar 25, 2019 at 4:12 PM Ben Cotton <bcot...@redhat.com> wrote: > > > > > > https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2 > > > > > This Change proposal is on hold. > > Too bad. As a long-time SecureBoot user, I was looking forward to being > able to have encrypted /boot on Fedora.
I'm not sure if this has anything to do with why it's on hold, but GRUB does not support LUKS2. And there are no TPM bindings supported in LUKS1, but are in LUKS2. In order to get to full disk encryption out of the box by default with automatic unlock (measured boot to obtain the cryptographic key from the TPM), needs LUKS2. So in effect that means we either need GRUB to support LUKS2, or settle on an unencrypted /boot. -- Chris Murphy _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
