On Thu, Mar 19, 2020 at 12:59:01PM -0600, Chris Murphy wrote: > On Thu, Mar 19, 2020 at 11:53 AM Marius Schwarz <fedora...@cloud-foo.de> > wrote: > > > > Am 19.03.20 um 17:11 schrieb Michael Cronenworth: > > > On 3/19/20 11:04 AM, Marius Schwarz wrote: > > >> correct and thats the main issue, as long you have grub where you can > > >> edit the kernel line to start in runlevel 1. > > >> This makes the encryption null and void. > > > > > > Adding a grub password will prevent those without it from editing your > > > boot parameters. By default you can still boot without the grub > > > password. Does that help? > > > > It would solve a problem. > > > > - does it prevent updates ( after booting into rl 5 ) of grub? > > - where is the passcode stored? > > grub.cfg or user.cfg contains the hashed password > > https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Password_protection_of_GRUB_menu > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password > > But if the attacker has physical access to the computer, they can > mount /boot/efi or /boot where this file is stored; and remove the > password requirement.
Not at all. GRUB code and configuration are protected by TPM measurement. If an attacker tampers them, decrypting LUKS will fail on a missing or wrong passphrase. -- Petr
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
