(lwn.net)

253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0.001s | source

Show context

RecycledEle ◴[19 Jul 25 13:30 UTC] No.44615326[source]▶

>>44601045 (OP) #

This is yet another why I do not encrypt.

replies(2): >>44615500 #>>44615502 #

asmor ◴[19 Jul 25 13:55 UTC] No.44615502[source]▶

>>44615326 #

Secure boot doesn't encrypt, secure boot only signs.

replies(1): >>44616173 #

carlhjerpe ◴[19 Jul 25 15:13 UTC] No.44616173[source]▶

>>44615502 #

But it's very much a part of boot verification to unlock a TPM with your encryption keys on it.

replies(1): >>44616457 #

craftkiller ◴[19 Jul 25 15:42 UTC] No.44616457[source]▶

>>44616173 #

You're conflating secure boot with measured/verified boot.

replies(1): >>44616505 #

carlhjerpe ◴[19 Jul 25 15:47 UTC] No.44616505{3}[source]▶

>>44616457 #

They don't work in tandem? I enable secureboot with sbctl(securebootctl) and enroll keys in a TPM using the same tool as far as I can remember.

Or is this just some technical detail that in practice is under the same tools and settings?

replies(2): >>44616668 #>>44618672 #

1. craftkiller ◴[19 Jul 25 19:41 UTC] No.44618672{4}[source]▶

>>44616505 #

In addition to the great answer by jeroenhd, you also might have encrypted your secure boot signing keys with your TPM. This has the advantage that your signing keys can't be stolen so you know that your bootloader was signed on your specific physical machine. But this is not necessary, you can just store your signing keys on your SSD or anywhere/anyway you want.

↑

Linux and Secure Boot certificate expiration