-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
On 30/09/18 16:44, deloptes wrote: > Celejar wrote: > >> But grub itself and its configuration can't be encrypted, so an >> attacker could still compromise that code / data. IIUC, your >> solution basically just implies moving some of the logic >> currently in the initramfs into grub. > > Yes, this is the point I am making. > >> One solution is to run grub from removable media, and preventing >> attackers from getting physical access to it ... You can sometimes do remote mounting in something like HP's iLO .... you could mount a floppy or ISO image and boot it with the image only being available from a client machine using iLo. But it won't work for machines without such capability. Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW7CfdgAKCRCoFmvLt+/i +zdRAQDLYu/z/LeeYe0rEmjRhzOU/K9zFPOWiICf/1elYU1htQEAq8YIRVub6kjb Kw142B0ig3S0CkEY39l4Jq0IRbipGlY= =BYHj -----END PGP SIGNATURE-----