[systemd-devel] FDE: UEFI/Secureboot solves main part / missing link is /boot encryption

Lennart Poettering lennart at poettering.net
Tue Sep 28 21:13:21 UTC 2021


On Di, 28.09.21 19:44, Leon Fauster (leonfauster at googlemail.com) wrote:

> Hallo Lennart, corresponding to your last post about FDE:
>
> On an EFI system - would an encrypted "/boot" or /boot on
> an encrypted "/" filesystem eliminate the mentioned main
> attack vector? The whole chain would be authenticated.

Encryption is not authentication.

Not sure why you would encrypt your boot loader though? The boot
loader code is hardly a secret, is it? It's the same for everyone and
open source.

And with which key? a key the user has to type in? how does that help?
it means the user is queried three times for a pw? once by grub, once
by cryptsetup and once when logging in? That's not an improvement!

My blog story is an attempt to do things cleanly: i.e. authenticate
what needs authentication, and do so in a way that doesn't require
interactivity. The ultimate goal is that servers and embedded devices
can boot up entirely unattanded in safe way, and that desktop machines
only query the user once, and that the authentication the user does
unlocks the user's actual data.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list