On Wednesday, 03 April 2019 at 21:30, Chris Murphy wrote: > On Wed, Apr 3, 2019 at 2:58 AM Dominik 'Rathann' Mierzejewski > <domi...@greysector.net> wrote: > > > > On Thursday, 28 March 2019 at 17:30, Ben Cotton wrote: > > > On Mon, Mar 25, 2019 at 4:12 PM Ben Cotton <bcot...@redhat.com> wrote: > > > > > > > > https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2 > > > > > > > This Change proposal is on hold. > > > > Too bad. As a long-time SecureBoot user, I was looking forward to being > > able to have encrypted /boot on Fedora. > > I'm not sure if this has anything to do with why it's on hold, but > GRUB does not support LUKS2. And there are no TPM bindings supported > in LUKS1, but are in LUKS2. In order to get to full disk encryption > out of the box by default with automatic unlock (measured boot to > obtain the cryptographic key from the TPM), needs LUKS2. So in effect > that means we either need GRUB to support LUKS2, or settle on an > unencrypted /boot.
Well, why can't we have LUKS1-encrypted /boot and enter the encryption password by hand? That's still better than unencrypted /boot. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
