undefined | Better HN

0 pointsheavyset_go11mo ago0 comments

Unless your BIOS/UEFI supports full disk encryption unlocking of hardware-encrypted Opal drives, you will always have an unencrypted bootstrap process at early boot from the disk.

That unencrypted bootstrap process can be modified by anyone with access to the disk, physical or remote. Theoretically, someone can inject a keylogger into the process and exfiltrate your encryption key's password, or a process that waits until you're decrypted and exfiltrates your data. It's also a potential vector for ransomware, root/boot kits, etc.

0 comments

fsflover11mo ago

https://news.ycombinator.com/item?id=44246281

JCattheATM11mo ago

What you've described in that comment is just kind of reinventing the wheel. You're solving the same problem a different way, in a way that has slightly more complexity than just using UEFI and secureboot.

fsflover11mo ago

The main difference is that the user owns the root of trust and doesn't have to blindly trust a (buggy) proprietary software from a commercial company. Also, the community review.

JCattheATM11mo ago

You could still have that with UEFI though.

1 more reply

heavyset_goOP11mo ago

Ah, I thought you were replying to the full quote

j / k navigate · click thread line to collapse

0 comments

fsflover11mo ago

https://news.ycombinator.com/item?id=44246281

JCattheATM11mo ago

fsflover11mo ago

The main difference is that the user owns the root of trust and doesn't have to blindly trust a (buggy) proprietary software from a commercial company. Also, the community review.

JCattheATM11mo ago

You could still have that with UEFI though.

1 more reply

heavyset_goOP11mo ago

Ah, I thought you were replying to the full quote

j / k navigate · click thread line to collapse