dryarzeg3d ago

Ubuntu wants to strip some of GRUB features in 26.10 for security purposes

https://discourse.ubuntu.com/t/streamlining-secure-boot-for-26-10/79069

Streamlining secure boot for 26.10

Ubuntu systems support secure boot using grub. grub contains a lot of parsers for file systems and other things which are a constant source of security issues. In 26.10, we’d like to propose removing the following features from signed GRUB builds: Filesystems Remove btrfs, hfsplus, xfs, zfs Retain ext4, fat, iso9660 (and squashfs for snaps) Image formats: Remove jpeg, png Retain none We do not use images, but using that in your grub.cfg locally is a massive security risk (if even still al...

Ubuntu Community Hub
Show threadgorgoiler

Regarding dropping support for a LUKS encrypted /boot, one of the comments chimes in with “[but] full disk encryption is mandatory in many environments in Europe for security conformity”.

Surely some user editable data has to be stored in plaintext to be able to boot a system? Does grub.cfg need to be signed by the trust chain to be able to boot?

Mar 25 at 4:01pmWeb
Show threadahartmetz3d ago

When I hear full disk encryption, I think of what I'm using: Using the encryption feature of the disk with a password / keyphrase prompt built into the system firmware (UEFI). It is 100% transparent to any software.

The only major downside is that you need to trust the hardware manufacturer (and their FIPS certification), which is fine for my purposes, but might not be fine for state secrets or extremely valuable trade secrets.