Hallo Lennart, corresponding to your last post about FDE:
On an EFI system - would an encrypted "/boot" or /boot on
an encrypted "/" filesystem eliminate the mentioned main
attack vector? The whole chain would be authenticated.
firmware->shim->bootloader/grub2->{manual
interaction/password}->LUKSdecryption->kernel/initrd
Every former part checks the following one until the kernel and
the initrd is protected by LUKS (AFAIK grub2 supports only LUKS VERSION1)
Last time I checked macOS (before APFS) - they use also "boot.efi"
to get the pass and decrypt EncryptedRoot.plist.wipekey. Both "boot.efi"
and EncryptedRoot.plist.wipekey are on the unencrypted partition ...
Just some thoughts,
Leon
