[systemd-devel] FDE: UEFI/Secureboot solves main part / missing link is /boot encryption
Leon Fauster
leonfauster at googlemail.com
Tue Sep 28 17:44:33 UTC 2021
Hallo Lennart, corresponding to your last post about FDE:
On an EFI system - would an encrypted "/boot" or /boot on
an encrypted "/" filesystem eliminate the mentioned main
attack vector? The whole chain would be authenticated.
firmware->shim->bootloader/grub2->{manual
interaction/password}->LUKSdecryption->kernel/initrd
Every former part checks the following one until the kernel and
the initrd is protected by LUKS (AFAIK grub2 supports only LUKS VERSION1)
Last time I checked macOS (before APFS) - they use also "boot.efi"
to get the pass and decrypt EncryptedRoot.plist.wipekey. Both "boot.efi"
and EncryptedRoot.plist.wipekey are on the unencrypted partition ...
Just some thoughts,
Leon
More information about the systemd-devel
mailing list