With cleartext /boot, anybody can inject traps into initrd while the system is shut down. As shown above, secure boot won't prevent this.
With encrypted /boot, the attacker would need the LUKS password in order to inject any malicious content into initrd. Attacker is limited to grub (and maybe kernel), which should be protected by secure boot. This makes a big difference! Removing support for LUKS2 from grub and leaving /boot unencrypted opens up a big hole even for the unexperienced attacker. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2043101 Title: Mantic+noble inadvertently includes the luks2 module in signed grub- efis To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043101/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
