- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
OpenSuse leading the development in regards to boot security, an area in which Linux Distros are lagging behind other operating systems.
Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system. Depending on the hardware configuration of a system, Aeon’s encryption will be set up in one of two modes: Default or Fallback.
Default Mode:
This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset […], Aeon Desktop measures several aspects of the system’s integrity. These including:
- UEFI Firmware
- Secure Boot state (enabled or disabled)
- Partition Table
- Boot loader and drivers
- Kernel and
initrd
(including kernel command line parameters)These measurements are stored in the system’s TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally.
FDE has been somewhat common in linux installers for a while now. Good to see more distros using the tpm though, afaik only ubuntu currently offers that graphically.
It‘s not only about using the tpm to unlock the FDE, you should be able to do that on every distro with systemd-cryptenroll. The part that is new, is the the measuring of the systems integrity. It’s a way to ensure that the firmware has not been tampered with, the boot loader is the one that was installed and has not been replaced, that the kernel is exactly the one that comes from the distribution, that the kernel command line is the one that we expect, and that the initrd that is used does not contain any extra binary that we do not control.
I see. Thanks for clarifying