Sure, but unencrypted means it can be tampered with. The bootloader can be modified to write your password to disk and once you boot, submit that to a server somewhere - or worse.
That’s precisely why secure boot and TPMs exist - the TPM can store the keys to decrypt the drives and won’t give them unless the signed shim executable can be verified; the shim executable then checks the kernel images, options, and DKMS drivers’ signatures as well. If the boot partition has been tampered with, the drive won’t decrypt except by manual override.
The big problem is Microsoft controls the main secure boot certificate authority, rather than a standards body. This means that either a bad actor stealing the key or Microsoft itself could use a signed malicious binary used to exploit systems.
There’s also PXE boot, secure boot, carrying around a live image on a flash drive, etc.
But any attacker advanced enough to tamper with your EFI partition in an evil-maid scenario has plenty of other options to log and steal your encryption passphrase, so it’s generally a moot point.
Absolutely not — the skill level needed to tamper with a bashrc, pull credentials + keys, or generally hunt for sensitive info on an unencrypted disk is worlds apart from the skill level needed to modify an EFI binary.
Sure, but unencrypted means it can be tampered with. The bootloader can be modified to write your password to disk and once you boot, submit that to a server somewhere - or worse.
That’s precisely why secure boot and TPMs exist - the TPM can store the keys to decrypt the drives and won’t give them unless the signed shim executable can be verified; the shim executable then checks the kernel images, options, and DKMS drivers’ signatures as well. If the boot partition has been tampered with, the drive won’t decrypt except by manual override.
The big problem is Microsoft controls the main secure boot certificate authority, rather than a standards body. This means that either a bad actor stealing the key or Microsoft itself could use a signed malicious binary used to exploit systems.
Still, it’s at least useful against petty theft.
TPM sniffing attacks seem possible, but it looks like the kernel uses parameter and session encryption by default to mitigate that: https://docs.kernel.org/security/tpm/tpm-security.html
There’s also PXE boot, secure boot, carrying around a live image on a flash drive, etc.
But any attacker advanced enough to tamper with your EFI partition in an evil-maid scenario has plenty of other options to log and steal your encryption passphrase, so it’s generally a moot point.
With that logic there’s no need to even encrypt your partitions 🤷
Absolutely not — the skill level needed to tamper with a bashrc, pull credentials + keys, or generally hunt for sensitive info on an unencrypted disk is worlds apart from the skill level needed to modify an EFI binary.
security isn’t real, just increasing deterrence for attackers.
if you can access something, they can access it, it’s just a matter of effort needed to get there.
wait wait. the concern here is the unencrypted partition rather than the password to the encrypted disk being known???