В Wed, 27 Aug 2014 13:29:17 +0200 "Garreau\, Alexandre" <[email protected]> пишет:
> Hello, I’m trying to set up a secure —the most I can— X60t with > libreboot on it and GRUB as a payload. GNUtoo recommended me to set a > password to GRUB to stop potential attacker to execute any code on the > machine that could reflash the SPI chip, and then to encrypt the > *entire* disk and decrypt it with GRUB only. > > I can see his GRUB configuration on Parabola wiki, here: > <https://wiki.parabolagnulinux.org/User:GNUtoo/laptop#Coreboot_Setup>. But > I don’t understand what are “cryptdevice” or “cryptkey” args… > They are unrelated to grub and interpreted by initrd of your distribution. > Also, he found a way to integrate the decryption key in the initramfs of > Parabola so that he only has to enter it within GRUB, and not again > while boot. I’d have two questions: > > a) since I don’t know yet how to put the key in the Debian initramfs, is > there a way to pass it as an argument to Linux instead? so that it’s > more portable and I only have to set up correctly GRUB and not have to > remember modifying the distro I install? > Again - you have to ask your distribution. OTOH having key in plain text (or even reversible encryption) laying on your disk somehow defeats its purpose ... > b) is there a way to set up the GRUB password and decryption key the > same so that the GRUB password can be used by cryptomount so that I only > enter one password once? > Unfortunately, no - user authentication and cryptomount are not passing any information. Could be idea for next release. > Thanks for any help ^^
signature.asc
Description: PGP signature
_______________________________________________ Help-grub mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-grub
