On 9/7/2018 3:06 AM, Paddy Landau wrote: > If you are arguing that /boot shouldn't be encrypted, this is a direct > contradiction of what you wrote earlier that malware can be loaded into > the ESP; so why couldn't malware be loaded into /boot?
It can. Encrypting it does not stop that. > Please would you explain why you think that we should NOT encrypt /boot? > The rest of us here are mystified; we should encrypt as much as possible > in order to increase the barriers to black hats. Because encryption does not prevent tampering. It protects private data. With no private data in /boot, there is no need to protect it. On 9/9/2018 5:40 PM, Javier Paniagua Laconich wrote: > Well, not entirely correct. Encryption is also for tamper resistance, so it > is still very useful even if nothing in /boot is private. No, it isn't. This belief that encryption prevents tampering strikes me as similar to people thinking that RAID is a substitute for backups. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1773457 Title: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
