On 23 Oct 2023 13:59 +0200, from m...@dorfdsl.de (Marco M.): > Be aware that the boot loader and the /boot aren't encrypted by default > and they can be attacked (e.g. simply place a tainted kernel inside) by > anybody who has access to the harddisk.
Encrypted /boot has been supported with GRUB 2 for a while. That leaves only a minimal portion of GRUB in plaintext on storage. There's probably a way to use Secure Boot with custom signing keys to make tampering with the part of GRUB which must be readable to unlock the container for /boot very difficult without having access to the booted system. -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
