Andrew McGlashan a écrit : > > On 22/11/2015 6:17 AM, Pascal Hambourg wrote: >> I do not see how this "solution" protects against tampering of the >> unencrypted boot part. > > True, physical access and you are still toast.
The only solution I have read about to protect the boot part on the internal disk is to use a TPM (Trusted Platform Module) to validate the entire boot chain (MBR, boot loader, kernel, initramfs...). There is also the UEFI "secure boot" feature, which requires that the boot loader be signed. I do not know much about it, but I believe there are many boot loaders signed with default keys out there which could be used instead of yours. So unless you can remove the default keys and add your own key in the UEFI firmware, I am afraid it cannot be trusted. Otherwise, you can set the machine to boot from an external source, e.g. network if you trust it more than the machine, or a removable read-only device such as a CD-ROM or USB key that you must always keep with you.
