On 12/12/19 6:56 AM, Marius Schwarz wrote:
On the other hand, as android is capable of FDE, they must have made
some importanted changes that can be of use here.
Right, because Android has full control of the entire boot process, so
they only need the user input at the end where all the moving pieces
are in place. I think bulletproofing the boot process is the right
approach for Linux as well---but it's hard because the PC platform
interface between the firmware (BIOS/UEFI) and the OS is brittle,
variable and poorly defined---and if you really lock it up, inevitably
someone will get locked out from repairing their system.
Note that ~/ encryption is actually a nice compromise: the boot/OS
environment needs integrity more than confidentiality, and maybe could
be more maintainable if left unencrypted, while the $HOME would be kept
encrypted and confidential.
If you can't rely on an uninterruptible boot, you need I18n support
early on, and there are only two possibllities: either use whatever the
platform firmware provides (I think that's what you refer when you talk
about MS OSK BIOS support), or you arrange for the OS i18n support to be
available early enough. The reality of the PC platform is that in
general we can't rely on the BIOS support.