This is an old revision of the document!
UEFI Secure Boot
Why
- Currently the only protection against EvilMaid attacks.
- LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot
How
There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub Kernels, booting directly from UEFI to a chain of UEFI → SHIM → GRUB2 → Linux
Current Plan
- UEFI
- Linux Kernel + dracut initrd