Been down the rabbit hole lately of UEFI Secure Boot issues, and decided to write an overview of how it works out-of-the-box in the excellent Debian-based Linux Mint LMDE 6.

Have mostly been researching this stuff as I was looking to replace GRUB entirely with systemd-boot on one of my systems. Will likely write a follow-up piece documenting that journey if I think it’d be interesting to some nerds out there.

  • terminhell@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    6
    arrow-down
    2
    ·
    1 year ago

    Interesting. I guess this could be a method to allow actual full disk encryption? Unless there’s a way to have grub encrypted too?

    • Laser@feddit.de
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      What do you mean by that? TPM and Secure boot do not manage encryption, but rather authentication and key management aspects. You still need an unencrypted UEFI partition storing your EFI binaries. This partition is always readable by an attacker, however any changes to binaries will make booting fail. Also no secrets should be stored here.