Re: GRUB and boot partition

[Pascal Hambourg <pascal@plouf.fr.eu.org>]

Le 26/12/2017 à 12:24, tomas@tuxteam.de a écrit :
> On Tue, Dec 26, 2017 at 12:10:52PM +0100, Pascal Hambourg wrote:
> > Le 26/12/2017 à 11:36, tomas@tuxteam.de a écrit :
> > > Is there any inherent advantage to having /boot encrypted?
> >
> > I can imagine a few situations.
> >
> > - When you can enforce the early stage of GRUB integrity by storing
> > it on removable or read-only boot media, checking it with trusted
> > computing, TPM...
> > You could extend this to the whole /boot directory contents instead
> > of encrypting it but parts of it such as the kernel image, initramfs
> > and grub.cfg change quite often, while GRUB itself seldom changes.
> > An alternative to /boot encryption is to sign its contents so that
> > GRUB early stage can check the files when loading them.
> >
> > - When you need to store sensitive data in /boot, such as
> > passphrases for other encrypted volumes.
>
> In the days you measure (small) external media in gigabytes, this
> argument has lost a lot of push.

What does storage size have to do with these situations ?

> But yes, on some specialized hardware that might make a difference.
> FWIW, /boot/grub is 9.1M (yikes! didn't I say I don't like how fat
> the boot loader has become?

You can remove all the unneeded modules for features that you do not use.