Hello here, I just found this post about a feature that I was not aware of, and seems to result from a patch that is very specific to openSUSE, namely Trusted Boot: https://lizards.opensuse.org/2016/05/18/highlights-of-yast-development-sprin... 1) About Secure Boot I have been using SecureBoot for a while, and here is my understanding of Secure Boot in openSUSE: - the root of trust is the UEFI ; - it does use the TPM for cryptographic measurements ; - Shim in the EFI partition is the first component to check the signature of grub, then subsequently the chain continues from the kernel up to the modules. It works pretty well, except that most distributions have an implementation flaw (e.g Ubuntu, Fedora): as long as /boot has not been encrypted, an attacker with physical access to the machine can alter the initrd, do nasty stuff (like hijacking the user encryption password) and then proceed with the boot execution normally. I can confirm this flaw for sure as this is something that we have tested at my work. In openSUSE, /boot is encrypted by default and Grub has been patched to prompt for decryption, so this is a good mitigation against these "evil maid attacks". Overall, did I get it correctly ? 2) About Trusted boot The documentation is sparse so I am confused on how it compares with the SecureBoot implementation above. My understanding is that it's exactly the same, except that it's some kind of legacy support for Grub and legacy BIOS, without UEFI. It's not clear here what's the root of trust: I guess this can only be Grub itself, storing measurements in the TPM. Again, thank you for telling me if I am correct or wrong... Following your feedback, it might be a good idea that I write some stuff in the wiki or/and my blog to clarify all this. Thank you ! Best regards, Jean-Christophe -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org