1

I have a machine running CentOS 7 with a removable hard drive. I want to restrict what hard drive can be used with the machine i.e. the machine can only be used with one disk and nothing else.

I've been looking in to UEFI secure boot. Can UEFI secure boot be used in this way? My research is inconclusive. I may be able to sign the bootloader, kernel and applications, but is there a more wholistic approach of signing a disk?

If it is in fact possible, can you please provide details. If not, is there an alternative way to achieve this?

PCL
  • 111
  • 1
  • Assuming that the interface is USB, the short answer is "no" - regardless of any mechanisms used to protect whatever data you happen to write to the disk (such as encrypting it), the basic problem is that it's pretty trivial to lie over USB about what is connected (consider that most portable hard drives are actually just regular SATA drives inside an enclosure with a USB header). Otherwise, we need more details. Is this the boot drive itself? Why portable? What are the contents of this drive? Would it be better to have a portable computer (eg Raspberry Pi)? – Clockwork-Muse Dec 03 '20 at 06:37
  • Check [this](http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html) out, it is about replacing standard UEFI keys. Then you password-protect the BIOS to enforce secure boot and you should be all set (physical tampering notwithstanding). Mind I did not try myself, I am just brainstorming here. – Enos D'Andrea Dec 03 '20 at 07:42

0 Answers0