On Monday, July 6, 2020 5:24:32 AM MST Gerd Hoffmann wrote:
Default fedora disk layout in UEFI mode is partitions for ESP, /boot and LVM. If you ask for full disk encryption LVM is encrypted, ESP + boot are not. Which makes sense to me. Why would you encrypt /boot? The files you can find there are public anyway, you can download them from the fedora servers. Encrypting /boot would make the boot process more fragile for no benefit.
I guess that shows how unfamiliar I am with UEFI boot Fedora. You would encrypt /boot to ensure that your boot images have not been tampered with, or config files haven't been read by somebody other than the end user.
sd-boot still wouldn't work out-of-the-box though, due to /boot being xfs not vfat and firmware typically not shipping with xfs drivers.
If I'm not mistaken, XFS is the default used on RHEL, but ext4 is still used for /boot in Fedora, by default.
We could that by using vfat for /boot. Or by shipping & using xfs.efi, simliar to how apple ships & uses apfs.efi to boot macOS from apfs filesystems.
Is there a notable benefit to using that over GRUB2, which already has support on both UEFI and BIOS?