04.06.2016 22:05, Chris Murphy пишет: ... >> >> Yeah, when it comes to FDE, you either have to make your peace with >> trusting the manufacturer, or you can't. If you are going to boot your >> system with a traditional boot loader, an unencrypted partition is >> mandatory. > > /boot can be encrypted, GRUB supports this, but I'm unaware of any > installer that does.
openSUSE supports installation on LUKS encrypted /boot. Installer has some historical limitations regarding how encrypted container can be setup, but bootloader part should be OK (including secure boot support). > The ESP can't be encrypted. > It should be possible if you use hardware encryption (SED). > http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/ > > It's vaguely possible for the SED variety of drive to support fully > encrypted everything, including the ESP. The problem is we don't have > OPAL support on Linux at all anywhere. And for some inexplicable > reason, the TCG hasn't commissioned a free UEFI application for > managing the keys and unlocking the drive in the preboot environment. > For now, it seems, such support has to already be in the firmware. > -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html