From: Andrei Borzenkov <arvidjaar@gmail.com>
To: Justin Brown <justin.brown@fandingo.org>, "B. S." <bs27975@gmail.com>
Cc: linux-btrfs <linux-btrfs@vger.kernel.org>
Subject: Re: Pointers to mirroring partitions (w/ encryption?) help?
Date: Sat, 4 Jun 2016 10:46:04 +0300 [thread overview]
Message-ID: <5752873C.8050105@gmail.com> (raw)
In-Reply-To: <CAKZK7uyRSUBp3J=HunPbmFVzLzzH1=QghOD2_p-5+UpyMXuGGg@mail.gmail.com>
04.06.2016 04:39, Justin Brown пишет:
> Here's some thoughts:
>
>> Assume a CD sized (680MB) /boot
>
> Some distros carry patches for grub that allow booting from Btrfs,
> so no separate /boot file system is required. (Fedora does not;
> Ubuntu -- and therefore probably all Debians -- does.)
>
Which grub (or which Fedora) do you mean? btrfs support is upstream
since 2010.
There are restrictions, in particular RAID levels support (RAID5/6 are
not implemented).
>> perhaps a 200MB (?) sized EFI partition
>
> Way bigger than necessary. It should only be 1-2MiB, and IIRC 2MiB
> might be the max UEFI allows.
>
You may want to review recent discussion on systemd regarding systemd
boot (a.k.a. gummiboot) which wants to have ESP mounted as /boot.
UEFI mandates support for FAT32 on ESP so max size should be whatever
max size FAT32 has.
...
>
>> The additional problem is most articles reference FDE (Full Disk
>> Encryption) - but that doesn't seem to be prudent. e.g. Unencrypted
>> /boot. So having problems finding concise links on the topics, -FDE
>> -"Full Disk Encryption".
>
> Yeah, when it comes to FDE, you either have to make your peace with
> trusting the manufacturer, or you can't. If you are going to boot
> your system with a traditional boot loader, an unencrypted partition
> is mandatory.
No, it is not with grub2 that supports LUKS (and geli in *BSD world). Of
course initial grub image must be written outside of encrypted area and
readable by firmware.
> That being said, we live in a world with UEFI Secure
> Boot. While your EFI parition must be unencrypted vfat, you can sign
> the kernels (or shims), and the UEFI can be configured to only boot
> signed executables, including only those signed by your own key. Some
> distros already provide this feature, including using keys probably
> already trusted by the default keystore.
>
UEFI Secure Boot is rather orthogonal to the question of disk encryption.
next prev parent reply other threads:[~2016-06-04 7:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-03 20:30 Pointers to mirroring partitions (w/ encryption?) help? B. S.
2016-06-04 1:39 ` Justin Brown
2016-06-04 5:33 ` B. S.
2016-06-04 7:46 ` Andrei Borzenkov [this message]
2016-06-04 17:31 ` B. S.
2016-06-04 21:14 ` Andrei Borzenkov
2016-06-04 19:05 ` Chris Murphy
2016-06-04 21:07 ` Andrei Borzenkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5752873C.8050105@gmail.com \
--to=arvidjaar@gmail.com \
--cc=bs27975@gmail.com \
--cc=justin.brown@fandingo.org \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.