Re: FDE: UEFI/Secureboot solves main part / missing link is /boot encryption

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Di, 28.09.21 19:44, Leon Fauster (leonfauster@xxxxxxxxxxxxxx) wrote:

> Hallo Lennart, corresponding to your last post about FDE:
>
> On an EFI system - would an encrypted "/boot" or /boot on
> an encrypted "/" filesystem eliminate the mentioned main
> attack vector? The whole chain would be authenticated.

Encryption is not authentication.

Not sure why you would encrypt your boot loader though? The boot
loader code is hardly a secret, is it? It's the same for everyone and
open source.

And with which key? a key the user has to type in? how does that help?
it means the user is queried three times for a pw? once by grub, once
by cryptsetup and once when logging in? That's not an improvement!

My blog story is an attempt to do things cleanly: i.e. authenticate
what needs authentication, and do so in a way that doesn't require
interactivity. The ultimate goal is that servers and embedded devices
can boot up entirely unattanded in safe way, and that desktop machines
only query the user once, and that the authentication the user does
unlocks the user's actual data.

Lennart

--
Lennart Poettering, Berlin