On Fri, Apr 03, 2020 at 05:44:13PM +0200, Ellen Papsch wrote: > To make it harder, we leave /boot encrypted. Now the attacker plants > their malware further down the stack: they replace the BIOS. Boom, you > are owned! :-)
So using a single encrypted partition instead of separate /boot protects from script kiddies (siblings/“friends”?) with hardware access that know how to put their own grub.cfg on an unencrypted /boot partition and then wait for you to unsuspectingly use your machine. But it would still be possible for an attacker to flash or replace the motherboard’s UEFI, or perhaps the part of GRUB installed on the unaltered motherboard would willingly load a manipulated hard disk? Or just install a keylogger. So using the same boot partition as is done currently has Pro: script kiddie protection Con: passphrase must be entered twice; also entering the passphrase in GRUB may use the wrong keyboard layout Regards, Florian
