-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Dec 26, 2017 at 02:24:24PM +0100, Pascal Hambourg wrote:
[...] > I read that some UEFI implementations allow the user to manage > secure boot keys. Carefully choose your hardware. > > Oh, by the way I forgot twice to mention another situation when an > encrypted /boot would provide an advantage : when the machine has a > platform firwmare which supports LUKS encryption, such as CoreBoot, > then the on-disk boot components could be entirely encrypted. Granted. But if I were *that* deep in the thicket, I'd either shell out the 5K for a PowerPC workstation (which doesn't seem to have all that ME stuff... or they don't tell you?) *or* wait for lowRISC or similar. Doing encrypted-to-the-bottom in view of Intel ME or AMD TrustZone has a bit of a futile taste to me. Cheers - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlpCU5gACgkQBcgs9XrR2kbj9wCZAd7YWlsxOiJA5JlA0XBe3/D+ LQcAnjNhBcZ8HjM2Wm9rcpyVDSlM4iz4 =5ed9 -----END PGP SIGNATURE-----
