efi partition on a separate disk makes a lot of sense actually, imo the biggest point of fde is that your boot environment doesn’t get fucked with from outside your trusted os, so if you put your efi on a read only CD or something and lock your bios to boot into that, that can’t really be tampered with easily in software
As bad as secure boot is, that’s exactly the use case for it. Frankly, you can both swap the CD and solder a new BIOS flash if you are really interested in boot poisoning, the latter is just a tiny bit harder to do without some sort of trace.
efi partition on a separate disk makes a lot of sense actually, imo the biggest point of fde is that your boot environment doesn’t get fucked with from outside your trusted os, so if you put your efi on a read only CD or something and lock your bios to boot into that, that can’t really be tampered with easily in software
As bad as secure boot is, that’s exactly the use case for it. Frankly, you can both swap the CD and solder a new BIOS flash if you are really interested in boot poisoning, the latter is just a tiny bit harder to do without some sort of trace.
I meant software attacks, if your hardware is compromised it’s pretty much already game over unless you use something esoteric like heads maybe