All removing /boot prior to decrypting other partition(s) #2446
Labels
C: core
help wanted
This issue will probably not get done in a timely fashion without help from community contributors.
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
T: enhancement
Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Comments
|
See #885 - it's a precondition to what you want... |
andrewdavidwong
changed the title
andrewdavidwong
added
C: core
T: enhancement
andrewdavidwong
added
the
P: default
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Qubes OS version (e.g.,
R3.1):3.2
Expected behavior:
I want to be able to yank my rewriteable boot device prior to decryption, so that if dom0 is compromised it cannot change the boot partition, which I share with other systems.
Actual behavior:
/boot is automatically mounted and fsck'd on boot, so yanking the boot device results in a failed boot.
Steps to reproduce the behavior:
Install Qubes with /boot on a removable device.
Begin booting with the device. As soon as the initramfs image is loaded (or, altenately, prior to entering a decryption passphrase), remove the device. Then continue booting.
The boot fails because the OS cannot mount the removable device.
General notes:
This is fixed by adding the 'noauto' flag to /boot in /etc/fstab .
The text was updated successfully, but these errors were encountered: