[systemd-devel] How to factory reset?

Chris Murphy lists at colorremedies.com
Tue Mar 10 16:33:17 PDT 2015

On Tue, Mar 10, 2015 at 11:13 AM, Tobias Hunger <tobias.hunger at gmail.com> wrote:
> Even if all filesystems are encrypted you could factory-reset random
> computers you have access to, simply by editing the bootloader
> configuration file usually found in the poorly protected EFI
> partition!

If you're concerned about bootloader configuration modification as a
threat vector, then it needs to go on an encrypted volume. This
suggests an initial bootloader configuration that only enables the
user to supply a passphrase/key file to unlock that volume, and then
load a new bootloader configuration file.

GRUB2 kinda does support this. The ESP grub.cfg can handle the
cryptodisk and luksopen to grant access to the encrypted volume; and
configfile command to load a new grub.cfg located on that volume. And
from there the boot is normal including reading kernel and initramfs
from the encrypted volume.

Chris Murphy

More information about the systemd-devel mailing list