From: Andrei Borzenkov <arvidjaar@gmail.com>
To: Justin Brown <justin.brown@fandingo.org>, "B. S." <bs27975@gmail.com>
Cc: linux-btrfs <linux-btrfs@vger.kernel.org>
Subject: Re: Pointers to mirroring partitions (w/ encryption?) help?
Date: Sat, 4 Jun 2016 10:46:04 +0300 [thread overview]
Message-ID: <5752873C.8050105@gmail.com> (raw)
In-Reply-To: <CAKZK7uyRSUBp3J=HunPbmFVzLzzH1=QghOD2_p-5+UpyMXuGGg@mail.gmail.com>
04.06.2016 04:39, Justin Brown пишет:
> Here's some thoughts:
>
>> Assume a CD sized (680MB) /boot
>
> Some distros carry patches for grub that allow booting from Btrfs,
> so no separate /boot file system is required. (Fedora does not;
> Ubuntu -- and therefore probably all Debians -- does.)
>
Which grub (or which Fedora) do you mean? btrfs support is upstream
since 2010.
There are restrictions, in particular RAID levels support (RAID5/6 are
not implemented).
>> perhaps a 200MB (?) sized EFI partition
>
> Way bigger than necessary. It should only be 1-2MiB, and IIRC 2MiB
> might be the max UEFI allows.
>
You may want to review recent discussion on systemd regarding systemd
boot (a.k.a. gummiboot) which wants to have ESP mounted as /boot.
UEFI mandates support for FAT32 on ESP so max size should be whatever
max size FAT32 has.
...
>
>> The additional problem is most articles reference FDE (Full Disk
>> Encryption) - but that doesn't seem to be prudent. e.g. Unencrypted
>> /boot. So having problems finding concise links on the topics, -FDE
>> -"Full Disk Encryption".
>
> Yeah, when it comes to FDE, you either have to make your peace with
> trusting the manufacturer, or you can't. If you are going to boot
> your system with a traditional boot loader, an unencrypted partition
> is mandatory.
No, it is not with grub2 that supports LUKS (and geli in *BSD world). Of
course initial grub image must be written outside of encrypted area and
readable by firmware.
> That being said, we live in a world with UEFI Secure
> Boot. While your EFI parition must be unencrypted vfat, you can sign
> the kernels (or shims), and the UEFI can be configured to only boot
> signed executables, including only those signed by your own key. Some
> distros already provide this feature, including using keys probably
> already trusted by the default keystore.
>
UEFI Secure Boot is rather orthogonal to the question of disk encryption.
next prev parent reply other threads:[~2016-06-04 7:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-03 20:30 Pointers to mirroring partitions (w/ encryption?) help? B. S.
2016-06-04 1:39 ` Justin Brown
2016-06-04 5:33 ` B. S.
2016-06-04 7:46 ` Andrei Borzenkov [this message]
2016-06-04 17:31 ` B. S.
2016-06-04 21:14 ` Andrei Borzenkov
2016-06-04 19:05 ` Chris Murphy
2016-06-04 21:07 ` Andrei Borzenkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5752873C.8050105@gmail.com \
--to=arvidjaar@gmail.com \
--cc=bs27975@gmail.com \
--cc=justin.brown@fandingo.org \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).