uefi_secure_boot

This is an old revision of the document!

UEFI Secure Boot

Why

  • Currently the only protection against EvilMaid attacks.
    • LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot

How

There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub Kernels, booting directly from UEFI to a chain of UEFI → SHIM → GRUB2 → Linux

Current Plan

  1. UEFI
  2. systemd-boot
  3. Linux Kernel + dracut initrd
  • uefi_secure_boot.1509739030.txt.gz
  • Last modified: 2017/11/03 19:57
  • by brot