-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Dec 26, 2017 at 12:10:52PM +0100, Pascal Hambourg wrote: > Le 26/12/2017 à 11:36, to...@tuxteam.de a écrit : > > > >On Tue, Dec 26, 2017 at 10:42:46AM +0100, Pascal Hambourg wrote: > >>Note however that in any case, the early part of GRUB cannot be > >>encrypted [...] > > > >Is there any inherent advantage to having /boot encrypted? > > I can imagine a few situations. > > - When you can enforce the early stage of GRUB integrity by storing > it on removable or read-only boot media, checking it with trusted > computing, TPM... > You could extend this to the whole /boot directory contents instead > of encrypting it but parts of it such as the kernel image, initramfs > and grub.cfg change quite often, while GRUB itself seldom changes. > An alternative to /boot encryption is to sign its contents so that > GRUB early stage can check the files when loading them. > > - When you need to store sensitive data in /boot, such as > passphrases for other encrypted volumes.
In the days you measure (small) external media in gigabytes, this argument has lost a lot of push. My whole boot at the moment is 37M, the smallest SD card I can come up at home is 256M, and we kicked it out of our point-n-shoot camera because... 4G. But yes, on some specialized hardware that might make a difference. FWIW, /boot/grub is 9.1M (yikes! didn't I say I don't like how fat the boot loader has become? How long until it needs dbus?), which is an upper bound to the size of grub's "non-unencrypted" part (dunno by how much). Small embedded systems tend to have syslinux, though, or whatever else you use on Arm ;-P Cheers - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlpCMYMACgkQBcgs9XrR2kYfNQCeLOeymSZxg4nghp+aEzUfmogJ 7HcAniw/ih+7TlWk5aNP21UQeJemAKoH =Fvh7 -----END PGP SIGNATURE-----
