Linux

10114 readers

1028 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Why call it full-disk encryption when the EFI partition has to be unencrypted? (programming.dev)

submitted 1 day ago by onlinepersona@programming.dev to c/linux@programming.dev

36 comments fedilink hide all child comments

Sounds like a misnomer to me.

you are viewing a single comment's thread
view the rest of the comments

[–] Jumuta@sh.itjust.works 4 points 1 day ago* (last edited 1 day ago) (1 children)

efi partition on a separate disk makes a lot of sense actually, imo the biggest point of fde is that your boot environment doesn't get fucked with from outside your trusted os, so if you put your efi on a read only CD or something and lock your bios to boot into that, that can't really be tampered with easily in software

[–] TwilightKiddy@programming.dev 7 points 1 day ago (1 children)

As bad as secure boot is, that's exactly the use case for it. Frankly, you can both swap the CD and solder a new BIOS flash if you are really interested in boot poisoning, the latter is just a tiny bit harder to do without some sort of trace.

[–] Jumuta@sh.itjust.works 3 points 1 day ago

I meant software attacks, if your hardware is compromised it's pretty much already game over unless you use something esoteric like heads maybe