this post was submitted on 13 Nov 2025
12 points (77.3% liked)

Linux

10114 readers
938 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
12
Why call it full-disk encryption when the EFI partition has to be unencrypted? (programming.dev)
submitted 1 day ago by onlinepersona@programming.dev to c/linux@programming.dev
36 comments fedilink hide all child comments
 

Sounds like a misnomer to me.

you are viewing a single comment's thread
view the rest of the comments
[–] Nawor3565@lemmy.blahaj.zone 26 points 1 day ago (1 children)

Cause there's no user data stored on EFI, and saying "almost-full-disk-except-for-the-EFI-partition-encryption" is a bit cumbersome and, obviously, pedantic.

[–] onlinepersona@programming.dev 1 points 1 day ago (3 children)

Sure, but unencrypted means it can be tampered with. The bootloader can be modified to write your password to disk and once you boot, submit that to a server somewhere - or worse.

[–] data1701d@startrek.website 10 points 1 day ago

That's precisely why secure boot and TPMs exist - the TPM can store the keys to decrypt the drives and won't give them unless the signed shim executable can be verified; the shim executable then checks the kernel images, options, and DKMS drivers' signatures as well. If the boot partition has been tampered with, the drive won't decrypt except by manual override.

The big problem is Microsoft controls the main secure boot certificate authority, rather than a standards body. This means that either a bad actor stealing the key or Microsoft itself could use a signed malicious binary used to exploit systems.

Still, it's at least useful against petty theft.

TPM sniffing attacks seem possible, but it looks like the kernel uses parameter and session encryption by default to mitigate that: https://docs.kernel.org/security/tpm/tpm-security.html

[–] dgdft@lemmy.world 4 points 1 day ago (1 children)

There’s also PXE boot, secure boot, carrying around a live image on a flash drive, etc.

But any attacker advanced enough to tamper with your EFI partition in an evil-maid scenario has plenty of other options to log and steal your encryption passphrase, so it’s generally a moot point.

[–] onlinepersona@programming.dev -2 points 1 day ago (2 children)

With that logic there's no need to even encrypt your partitions 🤷

[–] dgdft@lemmy.world 10 points 1 day ago

Absolutely not — the skill level needed to tamper with a bashrc, pull credentials + keys, or generally hunt for sensitive info on an unencrypted disk is worlds apart from the skill level needed to modify an EFI binary.

[–] spiffpitt@lemmy.world 7 points 1 day ago

security isn't real, just increasing deterrence for attackers.

if you can access something, they can access it, it's just a matter of effort needed to get there.

[–] HubertManne@piefed.social 1 points 1 day ago* (last edited 1 day ago) (1 children)

wait wait. the concern here is the unencrypted partition rather than the password to the encrypted disk being known???