On Fri, Mar 20, 2020 at 1:50 AM Petr Pisar <ppi...@redhat.com> wrote: > > On Thu, Mar 19, 2020 at 12:59:01PM -0600, Chris Murphy wrote: > > On Thu, Mar 19, 2020 at 11:53 AM Marius Schwarz <fedora...@cloud-foo.de> > > wrote: > > > > > > Am 19.03.20 um 17:11 schrieb Michael Cronenworth: > > > > On 3/19/20 11:04 AM, Marius Schwarz wrote: > > > >> correct and thats the main issue, as long you have grub where you can > > > >> edit the kernel line to start in runlevel 1. > > > >> This makes the encryption null and void. > > > > > > > > Adding a grub password will prevent those without it from editing your > > > > boot parameters. By default you can still boot without the grub > > > > password. Does that help? > > > > > > It would solve a problem. > > > > > > - does it prevent updates ( after booting into rl 5 ) of grub? > > > - where is the passcode stored? > > > > grub.cfg or user.cfg contains the hashed password > > > > https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Password_protection_of_GRUB_menu > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password > > > > But if the attacker has physical access to the computer, they can > > mount /boot/efi or /boot where this file is stored; and remove the > > password requirement. > > Not at all. GRUB code and configuration are protected by TPM measurement. If > an > attacker tampers them, decrypting LUKS will fail on a missing or wrong > passphrase.
I wasn't assuming measured boot; but in that case it provides better protection without needing the locked up kiosk setup. But none of this is really easy to setup right now, quite a lot of people have computers without a TPM. -- Chris Murphy _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
