this post was submitted on 13 Nov 2025
12 points (77.3% liked)
Linux
10114 readers
938 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Well, something has to be. You can have your EFI partition on a separate drive and then the actual drive will be fully encrypted. It's just as good as we can get, the algorithm for decrypting the data obviously can't be encrypted.
I think there are implementations with encryption logic stored in the BIOS or on a separate chip, but don't quote me on that. And even then, the decryption logic itself will be unencrypted, because, as it happens, computers can't run encrypted code.
efi partition on a separate disk makes a lot of sense actually, imo the biggest point of fde is that your boot environment doesn't get fucked with from outside your trusted os, so if you put your efi on a read only CD or something and lock your bios to boot into that, that can't really be tampered with easily in software
As bad as secure boot is, that's exactly the use case for it. Frankly, you can both swap the CD and solder a new BIOS flash if you are really interested in boot poisoning, the latter is just a tiny bit harder to do without some sort of trace.
I meant software attacks, if your hardware is compromised it's pretty much already game over unless you use something esoteric like heads maybe
Why not have the BIOS decrypt the disk then continue the boot process as normal?
Mainly because then the manufacturer decides on how your stuff is encrypted, no likie.
What do you mean?? Our Motherboards come equipped with the latest and greatest Military Grade™ MD5 RealGood™ Encryption Technology.
What do you mean it's not longer considered secure????? Fake news, we'd never lie to you.
You are just moving things. When you change your EFI partition from being unencrypted and asking for your password to the BIOS asking for your password (or other credentials) you just shift the attack surface.
Somewhere there has to be an unencrypted part to start with.
Lock your unencrypted ESP down with secure boot and your own keys (shitty as it is that is in fact the one conceptional usecase of secure boot, not that stupid marketing bullshit MS is doing with getting vendors to pre-install Microsoft keys) to prevent tampering and you are good to go.
If you do this, be sure to make an image of your EFI partition and/or keys and keep it somewhere safe along with whatever is needed to restore the partition. Because if something tempers with it, your computer will stop booting because sighed hashes no longer match the ones calculated and you'll be locked out of your own system without some sort of way to restore the partition to a safe state.
@onlinepersona@programming.dev
Yes, preventing the boot process when something tempers with the files is the whole point of secure boot.
And beside the backups you should always have (remember: no backup, no pity for you...) the keys to sign your EFI files with are on the encrypted disk so the running system can get updated. So deactivating secure boot again, unlocking your encrypted disk from some live boot stick and fixing it is always an option (as is having a live system at hand signed by the same keys if you want to...).