On Tue, 2021-12-21 at 15:20 +0100, Fabian Vogt wrote:
You're not missing anything. I raised that in the thread already, and the wiki article should probably make that also more clear.
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/... https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/...
Using just PCR7 does not provide any of the security properties that are usually expected. It only protects against someone having access to data on disks.
You wrote about /boot not being verified. But even re-reading both posts, I can't find the information that the encryption of the root device is easily circumvented. Protecting private data on disk used to be the main reason for which we used to do device encryption in the past. The integrity/verification aspect is a relatively new one. That doesn't mean it's not important, but loosing encryption in favor of (weak) verifiability seems to be a bad trade-off to me. Call me naïve: IMHO the likelihood of a device being stolen or lost, and private content leaking to a 3rd party more or less accidentally that way, are higher than of a device being actively tampered with, which assumes a concrete malicious intent against the owner of the device. Regards Martin