On Thursday, 19 March 2020 at 19:59, Chris Murphy wrote: [...] > I think what you'd want for the stolen laptop use case is an encrypted > $BOOT, which GRUB does support: > > The first grub.cfg is unencrypted, and provides strictly for unlocking > a LUKS1 (no LUKS2 support yet) $BOOT volume, and then using > 'configfile' command to read a second "real" grub.cfg on the encrypted > $BOOT, which also contains BLS snippets, and kernel+initramfs. Since a > passphrase is required to even read these files, in order to boot the > installed system, I'm not sure it's necessary to also lock down the > command line. (Also, the setup details differ considerably between > UEFI and BIOS.) Could you share the steps to configure the above for UEFI case? I'm interested in such setup, but never had time to try configuring it. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
