On Fri, 5 Apr 2019 at 04:01, Petr Pisar <ppisar@xxxxxxxxxx> wrote: > > > Well, why can't we have LUKS1-encrypted /boot and enter the encryption > > password by hand? That's still better than unencrypted /boot. > > > What's the point of encrypting /boot? All the executed bits from /boot > (grub, kernel, and initramdisk) are measured by TPM. Thus if somebody > tampers them, root file system decryption that uses TPM will fail. > I expect it is in the case where the TPM is not available or where you have been given a mandate to maintain confidentiality for all bits even if you have integrity covered. [Sometimes confidentiality is more prized than availability.] > -- Petr > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
