On Tue, Mar 10, 2015 at 11:13 AM, Tobias Hunger <tobias.hun...@gmail.com> wrote: > Even if all filesystems are encrypted you could factory-reset random > computers you have access to, simply by editing the bootloader > configuration file usually found in the poorly protected EFI > partition!
If you're concerned about bootloader configuration modification as a threat vector, then it needs to go on an encrypted volume. This suggests an initial bootloader configuration that only enables the user to supply a passphrase/key file to unlock that volume, and then load a new bootloader configuration file. GRUB2 kinda does support this. The ESP grub.cfg can handle the cryptodisk and luksopen to grant access to the encrypted volume; and configfile command to load a new grub.cfg located on that volume. And from there the boot is normal including reading kernel and initramfs from the encrypted volume. -- Chris Murphy _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel