On Tuesday, July 7, 2020 3:17:16 AM MST Gerd Hoffmann wrote:
On Mon, Jul 06, 2020 at 01:26:31PM -0700, John M. Harris Jr wrote:
On Monday, July 6, 2020 5:24:32 AM MST Gerd Hoffmann wrote:
Default fedora disk layout in UEFI mode is partitions for ESP, /boot and LVM. If you ask for full disk encryption LVM is encrypted, ESP + boot are not. Which makes sense to me. Why would you encrypt /boot? The files you can find there are public anyway, you can download them from the fedora servers. Encrypting /boot would make the boot process more fragile for no benefit.
I guess that shows how unfamiliar I am with UEFI boot Fedora. You would encrypt /boot to ensure that your boot images have not been tampered with,
Well, if that is your concern the answer is secure boot. That will not only prevent tampering with /boot files, but also prevent tampering with the bootloader itself.
No, Secure Boot doesn't solve that problem. Secure Boot, in Fedora anyway, needlessly disables a lot of kernel functionality, which makes it completely unusable. You cannot load kernel modules you've built, hibernate your system, etc. Additionally, Secure Boot does not prevent tampering with /boot files. You can still change grub.cfg as you like.
or config files haven't been read by somebody other than the end user.
Hmm, typically that is pretty standard stuff and very simliar on all fedora installs. Only the root filesystem uuid differs, and possibly local tweaks like configuring a serial console. I can't see how reading that is of much concern.
There's no reason to allow these files to be read to begin with, if the system is going to be encrypted.