this post was submitted on 13 Nov 2025
13 points (78.3% liked)

Linux

10111 readers
914 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
13
Why call it full-disk encryption when the EFI partition has to be unencrypted? (programming.dev)
submitted 2 days ago by onlinepersona@programming.dev to c/linux@programming.dev
39 comments fedilink hide all child comments
 

Sounds like a misnomer to me.

you are viewing a single comment's thread
view the rest of the comments
[–] onlinepersona@programming.dev 0 points 2 days ago (2 children)

Why not have the BIOS decrypt the disk then continue the boot process as normal?

[–] TwilightKiddy@programming.dev 11 points 2 days ago (1 children)

Mainly because then the manufacturer decides on how your stuff is encrypted, no likie.

[–] LiveLM@lemmy.zip 3 points 1 day ago* (last edited 1 day ago)

What do you mean?? Our Motherboards come equipped with the latest and greatest Military Grade™ MD5 RealGood™ Encryption Technology.
What do you mean it's not longer considered secure????? Fake news, we'd never lie to you.

[–] Ooops@feddit.org 2 points 1 day ago* (last edited 1 day ago) (1 children)

You are just moving things. When you change your EFI partition from being unencrypted and asking for your password to the BIOS asking for your password (or other credentials) you just shift the attack surface.

Somewhere there has to be an unencrypted part to start with.

Lock your unencrypted ESP down with secure boot and your own keys (shitty as it is that is in fact the one conceptional usecase of secure boot, not that stupid marketing bullshit MS is doing with getting vendors to pre-install Microsoft keys) to prevent tampering and you are good to go.

[–] TwilightKiddy@programming.dev 1 points 1 day ago (1 children)

If you do this, be sure to make an image of your EFI partition and/or keys and keep it somewhere safe along with whatever is needed to restore the partition. Because if something tempers with it, your computer will stop booting because sighed hashes no longer match the ones calculated and you'll be locked out of your own system without some sort of way to restore the partition to a safe state.

@onlinepersona@programming.dev

[–] Ooops@feddit.org 2 points 1 day ago* (last edited 1 day ago)

Yes, preventing the boot process when something tempers with the files is the whole point of secure boot.

And beside the backups you should always have (remember: no backup, no pity for you...) the keys to sign your EFI files with are on the encrypted disk so the running system can get updated. So deactivating secure boot again, unlocking your encrypted disk from some live boot stick and fixing it is always an option (as is having a live system at hand signed by the same keys if you want to...).