Hacker News new | ask | show | jobs
by npteljes 378 days ago
I believe not. Even with full disk encryption, you need an unencrypted bootloader after uefi to decrypt the disk.

https://security.stackexchange.com/questions/267222/full-dis...

So, there are two scenarios here.

First, PC with FDE + normal boot gets stolen. The attacker cannot get the data without the password, so it's safe.

Second, unattended FDE + normal boot PC gets tampered with. Attacker manipulates the bootloader. Unsuspecting user later boots the tampered PC, unlocks the FDE, gets owned.
1 comments
fsflover 378 days ago
The second case requires a professional, dedicated attacker. I use TPM with Heads and a hardware key to protect myself against it. It will notify me if the boot partition or BIOS are tampered with.

As an advantage, all relevant code running on my computer is FLOSS and auditable, unlike the Secure Boot and UEFI.

link
npteljes 378 days ago
That's a cool setup! I didn't know about Heads.

And yes, getting back to the original topic, I believe that against petty criminals, even a full disk encryption is plenty defense. They won't go about installing anything to the EFI partition just to get to the data.

This Coreboot + Heads setup I'd trust to protect against even the more involved.

link