Improvements

There are improvements that could be made over and above out of the box security for most linux distros. 

• default to encrypted root install

• support encrypted boot

• make secure boot easier to understand and manage

• support smartcard and tpm setup during install

• make smartcard and tpm use easier to understand and manage after install

Practical

Regardless of what the rest of the users and linux distros are doing, what can I practically do to increase security for myself.

1. Encrypt root drive

2. Use very strong passwords

3. Use tpm and smartcards instead of passwords for login and admin work

   1. keep strong passwords as backup for access

4. use tpm and smartcard for encrypted root

5. Use secure boot with custom Unified Kernel Image

Theoretical

Encrypted Drives

Since the hardware in the computer has to get access to the data on the hard drives to boot into an operating system chosen and installed by the end user it is challenging to protect every thing with encryption.  While the use of some specialized hardware makes this viable it requires complicated and risky setup.   The general model has been to leave the boot partition decrypted so that the standard UEFI boot processes may access it.

Secure Boot

If the boot partition and the EFI partition are unencrypted an attacker may modify them by gaining physical access.   The goal of secure boot is to protect the user by having the hardware make extra security checks before booting up.

This is a great idea but gets really complicated and difficult to understand for non technical end users.  (I'm a very technical end user and I still don't understand the relationship between MOKs and shims and everything else).

Encrypted Boot

Ideally, all data on the system would be protected from modification by an attacker.  If the boot partition were encrypted it would ensure this but only if an attacker with physical access does not have access to the decryption keys.   Since the boot process has to have access to decrypt it is challenging to achieve both.

Grub supports some encrypted booting features.  It might make sense to expand this but if the attacker has access to the EFI partition the boot process may still be modified.   This approach might have to be paired with something like secure boot to be effective.

TPM

Given that a lot of computers (maybe all now) have TPM modules the Linux community should offer users the use of it during install.    When TPM was introduced there was great concern that Microsoft would leverage it to prevent install of non MS systems on PCs and servers.   The mitigation for this concern has mostly been to turn off the security features on windows pcs and ignore TPM during Linux installs.   There is no easy solution for secure booting of non MS systems but we can continue to increase security via use of the technology.

Evil Maid

The evil maid attack is when someone gets physical access to the system and modifies the boot process.   

• move boot files to removable usb

• move entire system to removable usb

it is almost impossible to keep a usb stick protected at all times.  (in the shower?) but it would reduce the attack vector.