aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrancis Rowe <info@gluglug.org.uk>2015-05-20 10:25:31 +0100
committerFrancis Rowe <info@gluglug.org.uk>2015-05-20 10:25:31 +0100
commita2616e852ba1d861209f66ce4afc8728117a1acd (patch)
tree6145cf511482c49c8256c86208f15e521831ea2e
parentc8ecf72a8b46f1367a8165d7066b7f39cd44d71f (diff)
downloadlibrebootfr-a2616e852ba1d861209f66ce4afc8728117a1acd.tar.gz
librebootfr-a2616e852ba1d861209f66ce4afc8728117a1acd.zip
docs/gnulinux/encrypted_*.html: Remove notes about --unrestricted
These instructions were dangerous. I was provided with them by a user who found them, and I thought that it would be safe to allow access to boot the HDD so long as the OS was encrypted. However, this is not the point. With that option unrestricted, anyone with physical access could replace the HDD with another LUKS-encrypted one with the same set up (just a different system, different key, different passphrase, etc) and now they are able to run their own code on that laptop. This *is* dangerous. There is a lot that an attacker can do to the laptop if they are able to boot an OS on it! Basically, Francis Rowe was being foolish to add these instructions. Now he's wised up a bit.
-rw-r--r--docs/gnulinux/encrypted_parabola.html6
-rw-r--r--docs/gnulinux/encrypted_trisquel.html6
2 files changed, 0 insertions, 12 deletions
diff --git a/docs/gnulinux/encrypted_parabola.html b/docs/gnulinux/encrypted_parabola.html
index e61f6588..09e16d78 100644
--- a/docs/gnulinux/encrypted_parabola.html
+++ b/docs/gnulinux/encrypted_parabola.html
@@ -520,12 +520,6 @@
<pre><b><i>set superusers=&quot;root&quot;
password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
</i></b></pre>
-
- <p>
- You can change the menuentry to say this:<br/>
- menuentry 'Load Operating System' --unrestricted<br/>
- This will allow booting that menuentry without a password, but not allow changing it (according to a user report).
- </p>
<p>
Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root.
diff --git a/docs/gnulinux/encrypted_trisquel.html b/docs/gnulinux/encrypted_trisquel.html
index 0b7864e7..32eeaff7 100644
--- a/docs/gnulinux/encrypted_trisquel.html
+++ b/docs/gnulinux/encrypted_trisquel.html
@@ -310,12 +310,6 @@
</p>
<p>
- You can change the menuentry to say this:<br/>
- menuentry 'Load Operating System' --unrestricted<br/>
- This will allow booting that menuentry without a password, but not allow changing it (according to a user report).
- </p>
-
- <p>
After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM
using <a href="../install/index.html#flashrom">this tutorial</a>.
</p>