From e8cdfc7d9d963aa4412e8eca549bb77e91d28b70 Mon Sep 17 00:00:00 2001 From: Mintsuki Date: Wed, 12 Mar 2025 00:36:15 +0100 Subject: [PATCH] docs: FAQ.md: Fix formatting and adjust tone --- FAQ.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/FAQ.md b/FAQ.md index 41436039..15160783 100644 --- a/FAQ.md +++ b/FAQ.md @@ -18,19 +18,18 @@ Simply put, this is unnecessary. Putting the kernel/modules in a readable FAT32 partition and letting Limine know about their BLAKE2B checksums in the config file provides as much security as encrypting the kernel does. -### What? But what if someone modifies the config file! Ha! You clearly have -### not thought about that! +### What if a malicious actor modifies the config file? -We have. While this is a pointless effort on legacy x86 BIOS, it is a -reasonable expectation on UEFI systems with Secure Boot. Limine provides a way -to modify its own EFI executable to bake in the BLAKE2B checksum of the config -file itself. The EFI executable can then get signed with a key added to the -firmware's keychain. This prevents modifications to the config file (and in -turn the checksums contained there) from going unnoticed. +While this is a pointless effort on legacy x86 BIOS, it is a reasonable +expectation to secure the boot sequence on UEFI systems with Secure Boot. +Limine provides a way to modify its own EFI executable to bake in the BLAKE2B +checksum of the config file itself. The EFI executable can then get signed with +a key added to the firmware's keychain. This prevents modifications to the +config file (and in turn the checksums contained there) from going unnoticed. -### But I don't want to have a separate FAT boot partition! I don't want it! +### I do not want to have a separate FAT boot partition! What can I do? -Well tough luck. It is `$year_following_2012` now and most PCs are equipped -with UEFI and simply won't boot without a FAT EFI system partition anyways. +It is `$year_following_2012` now and most PCs are equipped with UEFI and simply +won't boot without a FAT EFI system partition anyways. It is not unreasonable to share the EFI system partition with the OS's /boot -and store kernels and initramfses there. +and store kernels, initramfses, and any other files needed for boot there.