From 7429bdcdbb4fc51c61897115112468642afeecfc Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Tue, 4 Nov 2014 17:42:11 +0000 Subject: encrypted_parabola.html: Further clarification of purpose. encrypted_trisquel.html: Further clarification of purpose. --- docs/howtos/encrypted_parabola.html | 16 ++++++++++++++-- docs/howtos/encrypted_trisquel.html | 16 ++++++++++++++-- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/docs/howtos/encrypted_parabola.html b/docs/howtos/encrypted_parabola.html index c7a92105..3a1a75d1 100644 --- a/docs/howtos/encrypted_parabola.html +++ b/docs/howtos/encrypted_parabola.html @@ -26,8 +26,20 @@

- Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition - when setting up an encrypted system. This means that your machine can really secure data while powered off. + Libreboot uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and it's GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +

+ +

+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted. + This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware + can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a + payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical + access to the machine.

diff --git a/docs/howtos/encrypted_trisquel.html b/docs/howtos/encrypted_trisquel.html index 0c6696ec..7599e02f 100644 --- a/docs/howtos/encrypted_trisquel.html +++ b/docs/howtos/encrypted_trisquel.html @@ -26,8 +26,20 @@

- Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition - when setting up an encrypted system. This means that your machine can really secure data while powered off. + Libreboot uses the GRUB payload + by default, which means that the GRUB configuration file + (where your GRUB menu comes from) is stored directly alongside libreboot + and it's GRUB payload executable, inside + the flash chip. In context, this means that installing distributions and managing them + is handled slightly differently compared to traditional BIOS systems. +

+ +

+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted. + This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware + can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a + payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical + access to the machine.

-- cgit v1.2.3-70-g09d2