A keylogger in the initramfs seems like a pretty obvious weakness to try and exploit. From there the attacker eventually gets the password manager master password, as well as any disk encryption passwords.
We could soon get to signed grub being able to read and authenticate from as fs-verity /boot on which initrd resides. Ext4 and recently btrfs support fs-verity and its more flexible than dm-verity.
We could soon get to signed grub being able to read and authenticate from as fs-verity /boot on which initrd resides. Ext4 and recently btrfs support fs-verity and its more flexible than dm-verity.