Chris Murphy wrote:
> I'm not sure how people are worried about trojans being injected into
> an unencrypted root, while also not at all concerned about bootloader
> malware, or malware injected into the initramfs or the hibernation
> image - which upon resume replaces everything in RAM in favor of
> what's in the image.
The bootloader itself getting attacked is a concern, but for the initramfs,
encrypting /boot is actually a solved problem, Anaconda just needs to
support it. (That said, it means that you have to type the passphrase into
GRUB, so you are stuck with its limited input capabilities.)
> The alternative, to put a fine point on it, would mean creating some small
> subset of the entire GNOME stack to stuff into the initramfs in order to
> provide input, keymapping, and UI to have the minimum a11y function and
> i18n expectations. That's a tough sell.
IMHO, Qt for the LinuxFB (fbdev) or EGLFS (if you really need OpenGL)
platform would be a much better fit for this purpose than the GNOME stack,
if you really think we cannot do without the convenience of a GUI toolkit
for a passphrase prompt on bootup. (That said, this approach precludes
encrypting /boot, unfortunately.)
Kevin Kofler
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
