this post was submitted on 12 Jul 2024
32 points (100.0% liked)

Linux

8063 readers
60 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 1 year ago
MODERATORS
 

OpenSuse leading the development in regards to boot security, an area in which Linux Distros are lagging behind other operating systems.

Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system. Depending on the hardware configuration of a system, Aeon’s encryption will be set up in one of two modes: Default or Fallback.

Default Mode:

This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset […], Aeon Desktop measures several aspects of the system’s integrity. These including:

  • UEFI Firmware
  • Secure Boot state (enabled or disabled)
  • Partition Table
  • Boot loader and drivers
  • Kernel and initrd (including kernel command line parameters)

These measurements are stored in the system’s TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally.

top 4 comments
sorted by: hot top controversial new old
[–] ichbinjasokreativ@lemmy.world 5 points 4 months ago (1 children)

FDE has been somewhat common in linux installers for a while now. Good to see more distros using the tpm though, afaik only ubuntu currently offers that graphically.

[–] unskilled5117@feddit.org 11 points 4 months ago* (last edited 4 months ago) (1 children)

It‘s not only about using the tpm to unlock the FDE, you should be able to do that on every distro with systemd-cryptenroll. The part that is new, is the the measuring of the systems integrity. It’s a way to ensure that the firmware has not been tampered with, the boot loader is the one that was installed and has not been replaced, that the kernel is exactly the one that comes from the distribution, that the kernel command line is the one that we expect, and that the initrd that is used does not contain any extra binary that we do not control.

[–] ichbinjasokreativ@lemmy.world 2 points 3 months ago

I see. Thanks for clarifying

[–] bsergay@discuss.online 1 points 3 months ago

Is this different from UKI? If so, how? Thanks in advance!