BareMetal Security


So far I really like Fedora CoreOS and I am using it on a few BareMetal installations with Clevis.
To my knowledge you can decrypt the disk as soon as you managed to boot an OS on the hardware. (because you have access to the TPM and can read the luks header)
I have done a few things to keep anyone from reading the disk or booting something else:

  • root luks (clevis tpm2) as described in the docs here
  • removed ignition leftover after the setup (/boot/ignition) as it contains sensitive data and the boot partition is not encrypted
  • added grub2 password to the static grub.cfg (I don’t want anyone booting into single user mode)
  • enabled secure boot (seems to be working out of the box with shim)
  • restricted BIOS access, boot options, etc. (not related to fcos)

Is there anything else I can do? Do you have any tips?

Thanks & Regards,

1 Like

It’s a wide topic and I’m planning to get back to you on this but have not been able to find the time yet. This is very dependent on your threat model and what you want to be able to protect your system from but your setup looks like a very good start.