29 Apr
2021
29 Apr
'21
10:10
On Wed, Apr 28, 2021 at 8:47 PM Petr Tesařík
wrote:
That's not my point. My point is that there is nothing secret stored under /boot. If it is a separate partition, it may be left unencrypted, avoiding the need to give a password to the boot loader.
Currently neither grub.cfg nor initrd are verified. Which means it is possible to install modified initrd which takes over after you unlocked root. Yes. That's why I'd prefer full disc encryption (LUKS on whole disc).
Kind regards, Petr