If /boot is encrypted, the initrd should not be accessible to be replaced/tampered with. If Secure Boot is enabled, then grubx64.efi/shimx64.efi will fail if replaced/tampered with.
If the pass-string has sufficient degrees of freedom, a 'weak' key derivation function is not relevant.
Like others, I think OPSEC failure is more likely than technical failure. Good OPSEC is difficult.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: Initrd
Date: 2023-04-19 08:31 am (UTC)If Secure Boot is enabled, then grubx64.efi/shimx64.efi will fail if replaced/tampered with.
If the pass-string has sufficient degrees of freedom, a 'weak' key derivation function is not relevant.
Like others, I think OPSEC failure is more likely than technical failure. Good OPSEC is difficult.