On Tue, Feb 04, 2025 at 09:52:03AM +0100, to...@tuxteam.de wrote: > On Tue, Feb 04, 2025 at 12:18:10AM -0800, Loren M. Lang wrote: > > On Mon, Feb 03, 2025 at 10:39:25PM +0000, Automætic wrote: > > > Hi, > > > > > > I'm configuring a new Debian installation on my workstation, with both > > > the /boot partition and the root filesystem encrypted: > > > - /dev/nvme0n1p1 -> /EFI > > > - /dev/nvme0n1p2 -> LUKS2 (pbkdf2) -> /boot > > > - /dev/nvme0n1p3 -> LUKS2 -> LVM containing root and other volumes > > > > > > The system boots, but requires entering the /boot password twice: > > > Once for GRUB, and once again during systemd initialization. > > > > I think the solution is to not encrypt the /boot partition. That > > partition shouldn't contain anything sensitive on it anyways [...] > > That's what I do currently, but to be fair, this exposes you to > someone replacing your boot kit by something else (which could, > for example, record your passphrase and pass it on).
I don't see how this actually adds any security because it will be GRUB that needs to first ask you for your passphrase and it will be the GRUB that was loaded from your unencrpyted EFI partition. You've just moved the goal post on step earlier in the boot process. Without Secure Boot and possibly some use of the TPM, you can't protect against that. Now, if the concern is that something might modify the /boot partition while the OS is loaded then you probably don't want /boot mounted anyways after GRUB decrypts it and grabs the kernel/initrd/config it needs. However, you are also already compromised by that point anyways. /boot should be about as sensitive as EFI is in this model and Secure Boot can protect both by following the standard chain of signatures for each file it loads. > > This can also, of course, be mitigated by some secure boot schema > (provided you control your BIOS -- most of the time it's someone > else, anyway ;-) > > This has been known by the (somewhat sexist) term "Evil Maid > Attack" [1]. > > It all depends on the threat model(s) you start from. > > Cheers > > [1] https://en.wikipedia.org/wiki/Evil_Maid_attack > -- > t -- Loren M. Lang lor...@north-winds.org http://www.north-winds.org/ IRC: penguin359 Public Key: http://www.north-winds.org/lorenl_pubkey.asc Fingerprint: 7896 E099 9FC7 9F6C E0ED E103 222D F356 A57A 98FA
signature.asc
Description: PGP signature
