this post was submitted on 13 Nov 2025
13 points (78.3% liked)
Linux
10111 readers
805 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Cause there's no user data stored on EFI, and saying "almost-full-disk-except-for-the-EFI-partition-encryption" is a bit cumbersome and, obviously, pedantic.
Sure, but unencrypted means it can be tampered with. The bootloader can be modified to write your password to disk and once you boot, submit that to a server somewhere - or worse.
That's precisely why secure boot and TPMs exist - the TPM can store the keys to decrypt the drives and won't give them unless the signed shim executable can be verified; the shim executable then checks the kernel images, options, and DKMS drivers' signatures as well. If the boot partition has been tampered with, the drive won't decrypt except by manual override.
The big problem is Microsoft controls the main secure boot certificate authority, rather than a standards body. This means that either a bad actor stealing the key or Microsoft itself could use a signed malicious binary used to exploit systems.
Still, it's at least useful against petty theft.
TPM sniffing attacks seem possible, but it looks like the kernel uses parameter and session encryption by default to mitigate that: https://docs.kernel.org/security/tpm/tpm-security.html