noauto option ignored in /etc/fstab?

Josef Wolf jw at raven.inka.de
Wed Dec 6 18:42:31 UTC 2017


On Wed, Dec 06, 2017 at 03:20:17PM +0100, Xen wrote:
> On Wed, 6 Dec 2017, Josef Wolf wrote:
> >I thought grub is mandatory? How do you boot without grub? The days of lilo
> >are gone...
> 
> I don't know why you are ignoring me, your unattended-upgrades.service pulls
> in boot.mount, if your system is the same as mine (16.04).

I am not ignoring you. In fact, I have actually replied to one of your mails.

I don't see why unattended-upgrades needs /boot to be mounted ALL THE TIME. It
needs /boot to be mounted DURING THE UPGRADE. And in my reply to your mail I
have shown how this can be achieved.

> >My use-case is a completely encrypted laptop. Since /boot can't be encrypted,
> 
> You can have encrypted boot just fine.
> 
> [ ... long description ... ]

While this gives you an encrypted /boot, it won't buy you anything above an
unencrypted /boot. An attacker would simply modify grub to store the key
somewhere unencrypted. To prevent the attack, you have to make sure that you
never execute something that might have been manipulated. With encrypted
/boot, you have still to check grub.

Encrypting root and everything else except /boot is supported out of the
box. Getting encrypted /boot adds a lot of additional complexity to the
install process. And it buys you nothing, since you still have to check that
the (unencrypted) grub is not modified.


-- 
Josef Wolf
jw at raven.inka.de



More information about the ubuntu-users mailing list