Feature request: warn about writing UKIs to the EFI partition on FDE setups #367
Comments
|
This is a secure boot tool, encrypting |
Huh? Simply running
I mean, even a very rough detection logic like mount | grep luks && echo "be careful"would be a start to not annoy users without encryption and warn all those that use luks in some way. But sure, saying "too complicated, write docs" is fine too.
I'm not sure how you can say that. This is a pitfall that I believe is very easy to fall into and needs nieche detail knowledge to learn about. I'm sure there are a bunch of setups out there that unknowingly compromise their FDE by having a UKI on the EFI partition. |
Ok, which distros? They should not be doing that as it's extremely poor practice. I fail to believe it applies to "some common distros", beyond misguided decisions from Manjaro.
You are asking
No. This doesn't provide any value and would be meaningless on most installs.
No, this is a system installation thing for a couple of poorly thought out distro setups and maybe an installer (or a bad instruction on some wiki). This isn't a common issue |
|
and again, encrypting |
This is not a question of distro, poor practice or "misguided decisions". AFAIK there is no standard for passing encryption passwords between boot stages, so the only way to avoid double password is to include a key in the initramfs (or have the key on some external medium). Setups that are affected include for example every setup following the Arch wiki: https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Unlocking_the_root_partition_at_boot
I agree that embedding the key in the initramfs is ugly and I wish there was a better way, but I don't think there is, so I don't see how this is a distro or wiki issue.
This is true, but what do you expect? Just because I have secure boot set up now, should I go out of my way to remove the encryption on my |
|
Also from a quick search: at least EndeavourOS and openSUSE also encrypt |
|
This discussion has been inspiring :) I have removed the keyfile from my initramfs and now boot the UKI directly without taking the extra step via some bootloader. This feels great and is probably the cleanest boot setup I've ever had ^^ Thank you again for this tool. I still think this is a pitfall that should be warned about in the context of UKIs. But maybe this is more of a documentation task than detection after all. What do you think about a warning in the UKI section of the README that says something like
|
and others
This might be a bit of a far-fetched feature request, especially given that the UKI support is considered secondary to this tool, but I'd still like to put it out there and hear your thoughts ^^
When generating a UKI, it might be tempting to put it on the EFI partition, next to the other EFI executables (this is also done in the README example). Doing that, however, can be a major security issue on setups with FDE and encrypted
/boot(such as Manjaro by default):Setups with encrypted
/bootusually include a copy of an FDE key in the initramfs, otherwise you'd have to type in your FDE password twice during boot (once for the bootloader to decrypt/bootand once for the kernel to decrypt the drive). The initramfs can safely contain a plain copy of the FDE key since it itself resides on the encrypted/boot. When generating a UKI, the initramfs is bundled, including the plain FDE key. Thus, placing the UKI on the EFI partition effectively means copying an unprotected key for your full-disk-encryption to an unencrypted partition, compromising the whole FDE setup.My suggestion: on setups with encrypted
/boot, warn about writing UKIs to the EFI partition (and maybe suggest putting them under/bootnext to the initramfs and vmlinuz files etc. instead).The text was updated successfully, but these errors were encountered: