1 |
On Wed, Nov 18, 2009 at 08:41:10PM +0100, Marcel Meyer wrote: |
2 |
> First: convenience and reliability. By having a more or less static kernel and |
3 |
> initramfs with a small, generic subset of modules which can boot all of my |
4 |
> computers, I can reuse this USB stick (with several key/password-combinations) |
5 |
> for more than one machine. And when updating the kernel and/or the modules on |
6 |
> my "work-kernel" I don't have to remember adding it to the USB-stick and |
7 |
> keeping it consistant. So updating because of the newest graphics card driver |
8 |
> is a little less trouble. |
9 |
|
10 |
I don't find that terribly convenient, but to each their own. You're |
11 |
building up a lot of complexity that's not going to necessarily be very |
12 |
robust. |
13 |
|
14 |
> Second: a little bit more security (by obscurity...?). You are right that a |
15 |
> running kernel could do a lot of harm when having access to the data. But when |
16 |
> that kernel on the USB stick decrypts a trustworthy kernel from the /boot on |
17 |
> HD, calls kexec on it (the /sbin/init on this boot partition will have to do |
18 |
> that) and this kernel then decrypts the /-partition with another password/key- |
19 |
> combination, shouldn't this help a little bit? |
20 |
|
21 |
Not really, once you have malicious code running on your machine at this |
22 |
level, it's game over. There are several approaches they can take to |
23 |
getting your password, but if you've lost control of the first kernel |
24 |
you've lost control of them all. |
25 |
|
26 |
> I mean I can not prevent this potential corrupted kernel from starting and |
27 |
> then accessing my /boot partition. But as long as the "attacker" did not |
28 |
> invest so much work to keep this kernel alive "behind" a kexec call or |
29 |
> starting some virtual machine etc. pp., the newly started kernel should take |
30 |
> full control - and if something different (like another kernel from the USB- |
31 |
> stick) is started, I will recognize that and don't enter the password for the |
32 |
> data. |
33 |
|
34 |
I think you're both overestimating your powers of observation and |
35 |
underestimating the abilities of an intentional and knowledgeable |
36 |
attacker. Anything can be faked. |
37 |
|
38 |
> So my main question here is: does it make sense to replace the first kernel by |
39 |
> a trusted second one or is it too easy to hide behind such functionality? |
40 |
> |
41 |
> |
42 |
> Of course this will not detain any serious hackers - besides they would have |
43 |
> better methods like adding simple hardware hacks. But would this work as a |
44 |
> protection against by-chance-hacker, getting somehow their hands on the key |
45 |
> for a short time? |
46 |
|
47 |
It doesn't really make sense because you're not protecting against a |
48 |
"casual" attacker at this point anyway. All FDE protects against is |
49 |
powered-down physical compromise (typically theft or loss). The moment |
50 |
your threat model includes a malicious attacker returning ownership to |
51 |
you, you've gone way beyond the "by-chance-hacker" assessment and deeply |
52 |
into espionage territory. At that point, if the attacker has had |
53 |
manipulative access to your boot media, nothing short of hardware-level |
54 |
measurements is really going to "guarantee" the safety of your data. I |
55 |
also refer you to http://xkcd.com/538/. |
56 |
|
57 |
There's nothing stopping you from this pursuit, it simply isn't going to |
58 |
protect against what you may think it does. It adds unnecessary |
59 |
complexity for that purpose, and complexity just adds more opportunities |
60 |
for failure and subversion. If you find it convenient, that's just up |
61 |
to you. |