Re: Unlock LUKS with login/password
Encryption per se does not protect against modification, I am aware of
that. That is even more true for disk encryption where the encrypted
data block has to fit into the physical disk block, so there is no room
for a MAC or signature. However, in combination with a filesystem like
btrfs which checksums everything, it is providing some protection, even
though it was not designed for that purpose.
Apart from the fact that UEFI Secure Boot is an overly complex monster
which is basically broken by design, my understanding of it is also
that it does not protect configs, initramfs etc. in /boot. It only
protects the kernel image and loaded modules.
In addition, files in /boot like the initrd are generated individually
and may contain files not limited to what someone puts into /boot
intentionally. In contrast to /boot/efi, /boot does not only contain
static files delivered by the distribution.