summaryrefslogtreecommitdiffstats
path: root/docs/howtos/encrypted_parabola.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/howtos/encrypted_parabola.html')
-rw-r--r--docs/howtos/encrypted_parabola.html16
1 files changed, 14 insertions, 2 deletions
diff --git a/docs/howtos/encrypted_parabola.html b/docs/howtos/encrypted_parabola.html
index c7a9210..3a1a75d 100644
--- a/docs/howtos/encrypted_parabola.html
+++ b/docs/howtos/encrypted_parabola.html
@@ -26,8 +26,20 @@
</header>
<p>
- Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition
- when setting up an encrypted system. This means that your machine can really secure data while powered off.
+ Libreboot uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a>
+ by default, which means that the GRUB configuration file
+ (where your GRUB menu comes from) is stored directly alongside libreboot
+ and it's GRUB payload executable, inside
+ the flash chip. In context, this means that installing distributions and managing them
+ is handled slightly differently compared to traditional BIOS systems.
+ </p>
+
+ <p>
+ On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
+ This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
+ can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
+ payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
+ access to the machine.
</p>
<p>
generated by cgit v0.9.1 at 2024-11-01 07:20:00 (EDT)