You are not logged in.
i have a secure boot setup with UKIs. everything that is supposed to be signed is signed and secure boot is enabled properly - i.e. non-signed stuff won't boot. my /boot partition is not encrypted, and this should be generally fine, except, the kernel installs vmlinuz by default in /boot, and there is nothing to check whether it's signed or not, meaning that an attacker could replace it with a malicious version and bet on a systemd update (which runs mkinitcpio) and then the UKI would be infected - and signed properly.
is the above correct? am i missing something? if it is correct, besides keeping two separate partitions (/boot, encrypted and /efi, unencrypted), is there another straightforward solution?
Offline
Why do you have a "/boot partition" if you're using UKIs? Just keep /boot as a directory on the / volume and mount the EFI system partition to /efi.
Offline
Why do you have a "/boot partition" if you're using UKIs? Just keep /boot as a directory on the / volume and mount the EFI system partition to /efi.
legacy. i didn't have secure boot before. this sounds like a good idea though idk why i didn't think about it. i could just re-use my current boot partition and rename it to efi and keep the stuff there. thanks!
Offline