| 1 |
On Wed, Nov 18, 2009 at 08:41:10PM +0100, Marcel Meyer wrote: |
| 2 |
> First: convenience and reliability. By having a more or less static kernel and |
| 3 |
> initramfs with a small, generic subset of modules which can boot all of my |
| 4 |
> computers, I can reuse this USB stick (with several key/password-combinations) |
| 5 |
> for more than one machine. And when updating the kernel and/or the modules on |
| 6 |
> my "work-kernel" I don't have to remember adding it to the USB-stick and |
| 7 |
> keeping it consistant. So updating because of the newest graphics card driver |
| 8 |
> is a little less trouble. |
| 9 |
|
| 10 |
I don't find that terribly convenient, but to each their own. You're |
| 11 |
building up a lot of complexity that's not going to necessarily be very |
| 12 |
robust. |
| 13 |
|
| 14 |
> Second: a little bit more security (by obscurity...?). You are right that a |
| 15 |
> running kernel could do a lot of harm when having access to the data. But when |
| 16 |
> that kernel on the USB stick decrypts a trustworthy kernel from the /boot on |
| 17 |
> HD, calls kexec on it (the /sbin/init on this boot partition will have to do |
| 18 |
> that) and this kernel then decrypts the /-partition with another password/key- |
| 19 |
> combination, shouldn't this help a little bit? |
| 20 |
|
| 21 |
Not really, once you have malicious code running on your machine at this |
| 22 |
level, it's game over. There are several approaches they can take to |
| 23 |
getting your password, but if you've lost control of the first kernel |
| 24 |
you've lost control of them all. |
| 25 |
|
| 26 |
> I mean I can not prevent this potential corrupted kernel from starting and |
| 27 |
> then accessing my /boot partition. But as long as the "attacker" did not |
| 28 |
> invest so much work to keep this kernel alive "behind" a kexec call or |
| 29 |
> starting some virtual machine etc. pp., the newly started kernel should take |
| 30 |
> full control - and if something different (like another kernel from the USB- |
| 31 |
> stick) is started, I will recognize that and don't enter the password for the |
| 32 |
> data. |
| 33 |
|
| 34 |
I think you're both overestimating your powers of observation and |
| 35 |
underestimating the abilities of an intentional and knowledgeable |
| 36 |
attacker. Anything can be faked. |
| 37 |
|
| 38 |
> So my main question here is: does it make sense to replace the first kernel by |
| 39 |
> a trusted second one or is it too easy to hide behind such functionality? |
| 40 |
> |
| 41 |
> |
| 42 |
> Of course this will not detain any serious hackers - besides they would have |
| 43 |
> better methods like adding simple hardware hacks. But would this work as a |
| 44 |
> protection against by-chance-hacker, getting somehow their hands on the key |
| 45 |
> for a short time? |
| 46 |
|
| 47 |
It doesn't really make sense because you're not protecting against a |
| 48 |
"casual" attacker at this point anyway. All FDE protects against is |
| 49 |
powered-down physical compromise (typically theft or loss). The moment |
| 50 |
your threat model includes a malicious attacker returning ownership to |
| 51 |
you, you've gone way beyond the "by-chance-hacker" assessment and deeply |
| 52 |
into espionage territory. At that point, if the attacker has had |
| 53 |
manipulative access to your boot media, nothing short of hardware-level |
| 54 |
measurements is really going to "guarantee" the safety of your data. I |
| 55 |
also refer you to http://xkcd.com/538/. |
| 56 |
|
| 57 |
There's nothing stopping you from this pursuit, it simply isn't going to |
| 58 |
protect against what you may think it does. It adds unnecessary |
| 59 |
complexity for that purpose, and complexity just adds more opportunities |
| 60 |
for failure and subversion. If you find it convenient, that's just up |
| 61 |
to you. |
Archives