We are testing out a new experimental feature in PureBoot to extend tamper detection past /boot into the root disk. I write about the feature and my thought process behind developing it here: https://puri.sm/posts/new-pureboot-feature-scanning-root-for-tampering/
@kyle
Why don't we use Luks for encrypting the whole OS, except for kernel and init, and just verify them on boot?
@danialbehzadi We do encrypt the root disk with LUKS, but not /boot (where kernel, initrd and grub config are), for two reasons:
1. PureBoot must store the HOTP counter somewhere for initial tamper-detection of the firmware itself. Currently /boot is the best location. We don't want to prompt for a LUKS secret before you can trust the firmware.
2. For users who don't want to scan the root partition, leaving /boot unencrypted allows them to scan /boot w/o prompting them for secrets.
@kyle
That's legit. So why we bother to scan other root partitions too, which makes booting slower?
@danialbehzadi It's optional, the idea is like w/ scanning /boot files, to try to detect attacks against root files that occur while the system is running and / is unlocked.
Rootkits can evade attempts to detect from within the infected kernel/file system, so you want to scan from the trusted PureBoot environment.
Some people would run a scan every time they boot. Others would only do it when their computer is out of their custody.
@kyle
I see… Nice job!