Just encrypting /boot would bring little, as it would still be possible to modify the unencrypted part of GRUB (that decrypts /boot) to have it overwrite the /boot with malicious kernel images (or even to not use the ones provided).
The options I know of are (from IMO strongest to weakest): * AEM, for knowing when someone tampered with /boot * SecureBoot, for restricting the allowed-to-boot images (I don't know about its ease of use with qubes, though) * locking your bootloader with a password and disallow external boot I'd think having all these protections at the same time would be best, using secureboot mostly to avoid having to ditch the laptop after AEM says it's no longer trustworthy (because it may stop the attacker before it can even make the laptop no longer trustworthy). On 08/28/2017 09:48 PM, Unman wrote: > On Sat, Aug 26, 2017 at 08:39:23AM -0700, > [email protected] wrote: >> Does Qubes offer a method of securing /boot? not just against USB evil maid >> attacks, but from tampering in general? >> >> for example, while a laptop is off, what would stop a malicious user from >> live booting to an arbitrary distro and altering kernel or xen images >> located on the unencrypted /boot partition? >> >> Does qubes offer options for encrypting /boot? >> > > The Fedora installer wont allow an encrypted boot partition, but there's > nothing stopping you from encrypting /boot after installation. You will, > of course, have to reconfigure grub to decrypt the new /boot, but that's > straightforward. > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3bb3a4b8-f63d-5ccd-bdbb-7905c725901e%40gaspard.io. For more options, visit https://groups.google.com/d/optout.
