On Thursday, December 12, 2019 6:54:38 AM MST Marius Schwarz wrote: > Am 06.12.19 um 21:04 schrieb Chris Murphy: > > > swap being compromised. Case 2 is present day Fedora "full disk > > encryption" which does not lock down the bootloader, /boot volume is > > not encrypted, and thus the initramfs is vulnerable to a targeted > > attack which could be used to deploy a key logger or whatever you're > > worried about in Case 1. > > > Not encrypting /boot may be the default in the installer, but does not > mean, you can't go the full way. > > You can simply activate /boot/ encryption. Grub will ask you for your > luks password while booting. > > But pls see the other message, I won't repeat myself. But your right, It > really depends on the threadmodel you wanne counter. > > My point is, make it as hard as possible, otherwise you way just think, > your safe, when your not.
Actually, it turns out you can accomplish this with blivet-gui in the current Anaconda ISOs, so current images do actually offer the option for real FDE. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
