1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-25 02:51:32 -05:00

Update README.md

This commit is contained in:
TommyTran732 2021-07-25 11:10:54 +00:00 committed by tommytran732
parent 588054fdaa
commit 825c2ce63b
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2

View File

@ -58,7 +58,7 @@ The partition layout I use rallows us to replicate the behavior found in openSUS
| 16 | @/var_lib_AccountsService | /var/lib/AccountsService | Encrypted BTRFS (nodatacow) | | 16 | @/var_lib_AccountsService | /var/lib/AccountsService | Encrypted BTRFS (nodatacow) |
| 17 | @/cryptkey | /cryptkey | Encrypted BTRFS (nodatacow) | | 17 | @/cryptkey | /cryptkey | Encrypted BTRFS (nodatacow) |
### LUKS1 and Encrypted /boot (Mumbo Jumbo stuff for anyone who's wondering why) ### LUKS1 and Encrypted /boot (Mumbo Jumbo stuff)
This is the same setup that is used on openSUSE. One problem with the way Secure Boot currently works is that the initramfs and a variety of things in /boot are not validated by GRUB whatsoever, even if Secure Boot is active. Thus, they are vulnerable to tampering. My approach as of now is to encrypt the entire /boot partition and have the only that is unencrypted - the grubx64.efi stub - validated by the firmware. This is the same setup that is used on openSUSE. One problem with the way Secure Boot currently works is that the initramfs and a variety of things in /boot are not validated by GRUB whatsoever, even if Secure Boot is active. Thus, they are vulnerable to tampering. My approach as of now is to encrypt the entire /boot partition and have the only that is unencrypted - the grubx64.efi stub - validated by the firmware.
Ideally, I could use GRUB's GPG verification for the initramfs and its configuration files and what not, but then I need to create hooks to sign them everytime they get updated (when a new initramfs gets generated, when grub-btrfs.path gets triggered, when grub gets updated and its config files change, etc). It is quite a tedious task and I have yet to implement or test this out. Ideally, I could use GRUB's GPG verification for the initramfs and its configuration files and what not, but then I need to create hooks to sign them everytime they get updated (when a new initramfs gets generated, when grub-btrfs.path gets triggered, when grub gets updated and its config files change, etc). It is quite a tedious task and I have yet to implement or test this out.