I believe the problem with that is some sort of evil maid attack. Let’s say you leave your laptop unprotected in your room, someone goes in and changes the boot partition into an altered version that will record the disk encryption password. The attacker can then retrieve your password and read your data.
If you are using PureBoot, you should be able to detect that this attack has happened (thus preventing you from typing your password into a compromised system). However, you will not be able to prevent the attack.
With /boot in a separate USB, you can prevent it by keeping your boot partition close to you at all times. Of course, this just moves the problem and you must now protect the boot drive from any threat.
Also, I don’t know if Heads (and by extension PureBoot) is able to verify the integrity of the boot partition in a USB drive. If not, you can not verify the integrity of /boot and this is a bad idea.
It should be noted that a generic attack on /boot does not require physical presence. However, if you are able to compromise a system to such a level that you have write access to /boot, you can probably already read all the information from the drives, so stealing the disk encryption key is probably useless.
If the write protect in the SD card works as advertised, yes. It is a matter of trust (or if you can audit that the SD card does as it says, even better).
May I ask what device do you intend to do this on? If you have access to PureBoot, this is unnecessary, unless you really care about getting access to your device after it has been compromised, which you would be able to do anyway by keeping a backup of the boot partition and restoring it should its integrity verification fail.
Isolating the boot partition in an external drive and keeping it inaccessible after the device has booted might sound like a good idea, but any updates to /boot will have to installed manually. And given that the /boot integrity verification is already good enough to detect these attacks, I wouldn’t even bother with isolating the boot loader in a separate drive
I would hypothesize that Grub might be losing track of where your OS is if they’re on different devices. I have MX Linux and its boot partition on an external SSD (I just selected the external drive in the installer, told it to encrypt, and let it run normally) and it boots fine. I haven’t tried it on a different computer, though.
i think the live PureOS (devel’) installer allows one to set WHERE the bootloader is installed/configured from.
you have to format the drive/device initially as GPT with an unformated partition labeled ‘BIOS/grub’ but that information is available during initial install in the formatting procedure. maybe this information will connect some dots as to why you’re having problems (it doesn’t for me though )
so after boot/install you have :
512 mb ext2 partition (this is where the installer places the bootloader from above)
512 mb ext2 /boot partition
32 gb LUKS / and /home partition (can be larger or smaller depending on what you set during install)
any other partitions such as /home (maybe if you set it to be separate from / ) since GPT allows for more than a few partitions on the same drive and 2TB> )
I’d say it is having dialog with Coreboot (or Legacy BIOS) only/directly (perhaps during booting stage only). Therefore first partition isn’t part of visible/regular (mounted) PureOS partitions (just my quick thought as I’m not at this moment using PureOS).
But still (or anyway), I think (but not sure) that this feature is essential part of PureOS and not found in any other Linux distribution. Thanks for asking!
yes. my thoughts on this exactly. i haven’t seen other GNU/Linux distributions that employ this means of booting as the label ‘BIOS/GRUB’ isn’t the same thing as /boot. interesting enough, PureOS doesn’t boot for me if i try to make /boot as part of / with /home. it ONLY works if the first two are individual partitions distinct from / …