Linux

10114 readers

938 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Why call it full-disk encryption when the EFI partition has to be unencrypted? (programming.dev)

submitted 1 day ago by onlinepersona@programming.dev to c/linux@programming.dev

36 comments fedilink hide all child comments

Sounds like a misnomer to me.

you are viewing a single comment's thread
view the rest of the comments

[–] TwilightKiddy@programming.dev 1 points 1 day ago (1 children)

If you do this, be sure to make an image of your EFI partition and/or keys and keep it somewhere safe along with whatever is needed to restore the partition. Because if something tempers with it, your computer will stop booting because sighed hashes no longer match the ones calculated and you'll be locked out of your own system without some sort of way to restore the partition to a safe state.

@onlinepersona@programming.dev

[–] Ooops@feddit.org 2 points 22 hours ago* (last edited 22 hours ago)

Yes, preventing the boot process when something tempers with the files is the whole point of secure boot.

And beside the backups you should always have (remember: no backup, no pity for you...) the keys to sign your EFI files with are on the encrypted disk so the running system can get updated. So deactivating secure boot again, unlocking your encrypted disk from some live boot stick and fixing it is always an option (as is having a live system at hand signed by the same keys if you want to...).