On Tuesday, July 7, 2020 3:17:16 AM MST Gerd Hoffmann wrote:
> On Mon, Jul 06, 2020 at 01:26:31PM -0700, John M. Harris Jr wrote:
> > On Monday, July 6, 2020 5:24:32 AM MST Gerd Hoffmann wrote:
> > 
> > > Default fedora disk layout in UEFI mode is partitions for ESP, /boot
> > > and
> > > LVM.  If you ask for full disk encryption LVM is encrypted, ESP + boot
> > > are not.  Which makes sense to me.  Why would you encrypt /boot?  The
> > > files you can find there are public anyway, you can download them from
> > > the fedora servers.  Encrypting /boot would make the boot process more
> > > fragile for no benefit.
> > 
> > 
> > I guess that shows how unfamiliar I am with UEFI boot Fedora. You would 
> > encrypt /boot to ensure that your boot images have not been tampered
> > with,
> Well, if that is your concern the answer is secure boot.  That will not
> only prevent tampering with /boot files, but also prevent tampering with
> the bootloader itself.

No, Secure Boot doesn't solve that problem. Secure Boot, in Fedora anyway, 
needlessly disables a lot of kernel functionality, which makes it completely 
unusable. You cannot load kernel modules you've built, hibernate your system, 
etc. Additionally, Secure Boot does not prevent tampering with /boot files. 
You can still change grub.cfg as you like.

> > or  config files haven't been read by somebody other than the end
> > user.
> Hmm, typically that is pretty standard stuff and very simliar on all
> fedora installs.  Only the root filesystem uuid differs, and possibly
> local tweaks like configuring a serial console.  I can't see how reading
> that is of much concern.

There's no reason to allow these files to be read to begin with, if the system 
is going to be encrypted.

John M. Harris, Jr.

devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to