[systemd-devel] FDE: UEFI/Secureboot solves main part / missing link is /boot encryption

[Lennart Poettering]

On Mi, 29.09.21 12:47, Leon Fauster (leonfauster at googlemail.com) wrote:

> > Encryption is not authentication.
> >
> > Not sure why you would encrypt your boot loader though? The boot
> > loader code is hardly a secret, is it? It's the same for everyone and
> > open source.
> >
> > And with which key? a key the user has to type in? how does that help?
> > it means the user is queried three times for a pw? once by grub, once
> > by cryptsetup and once when logging in? That's not an improvement!
>
> I think was partly misunderstood. Le me rephrase it. My motivation was
> just a thought about one step in the implementation (in the context
> of UEFI), that has a huge benefit. Speak, protecting the initrd. Thats the
> start point.

Well, it encrypts the initrd (which I am not interested in), and it
doesn't authenticate it (which I want), and all that with an
interactively acquired key (which I don't want).

Maybe that solves your specific problem set — but it doesn't solve any
of the issues I am trying to address.

> Yes, enc != auth - but while speaking about authentication. Dracut
> could enroll the signature of the initrd into the allow db (EFI).
> So, grub2 could check both, the kernel and the initrd and making the
> above encryption completely obsolete, thought.

Well, my proposal suggests just including the basic initrd in the
kernel image. The kernel's signature would then also validate this
basic initrd. My focus is that this kernel/initrd signing happens
during build time, not at install time, i.e. the secret signature keys
should be held by the building party only, not by the local
instalations.

Lennart

--
Lennart Poettering, Berlin