
A long list of GRUB2 secure-boot holes - eplanit
https://lwn.net/Articles/827403/
======
MayeulC
Well, another way to bypass secureboot on old/not updated devices, I guess.

Tangentally, how can I secure my intramfs against an evil maid attack? My
kernel is signed by secureboot, and my rootfs is encrypted, but the initramfs
is neither... I haven't rally seen that documented anywhere.

Ideally, I'd just sign it with the same key as the kernel, and the kernel
would check it matches.

------
dang
Related thread on the front page:
[https://news.ycombinator.com/item?id=23990075](https://news.ycombinator.com/item?id=23990075)

------
rwbhn
Basically dupe of
[https://news.ycombinator.com/item?id=23990075](https://news.ycombinator.com/item?id=23990075)

