1 |
Thank you for dealing with my message :-) |
2 |
|
3 |
|
4 |
Am Mittwoch, 18. November 2009 02:03:23 schrieb schism@×××××××××.org: |
5 |
> FWIW, this doesn't *precisely* belong on -hardened, but since much of |
6 |
> the audience for secured booting is the same I doubt many will complain. |
7 |
|
8 |
Hehe, yes. And it's a hardened system (of course). And I have hardened |
9 |
compiler problems ;-). Aaand there was no traffic on gentoo-hardened for about |
10 |
a month. We have to check if the list is still working :-) |
11 |
|
12 |
|
13 |
|
14 |
> On Wed, Nov 18, 2009 at 12:20:13AM +0100, Marcel Meyer wrote: |
15 |
> > Now I'd like to try to use the usb-key just as a generic loader for an |
16 |
> > already encrypted kernel on the harddrive. The kernel/initramfs of the |
17 |
> > USB key loads the LUKS-partition and instead of booting this system with |
18 |
> > the already loaded kernel from the USB key it should replace the running |
19 |
> > kernel with another one incl. initramfs from the harddrive using kexec |
20 |
> > from the encrypted partition. |
21 |
> |
22 |
> I'm following you all the way up to the kexec - what exactly are you |
23 |
> trying to solve by doing that? |
24 |
|
25 |
Well, several things. |
26 |
|
27 |
First: convenience and reliability. By having a more or less static kernel and |
28 |
initramfs with a small, generic subset of modules which can boot all of my |
29 |
computers, I can reuse this USB stick (with several key/password-combinations) |
30 |
for more than one machine. And when updating the kernel and/or the modules on |
31 |
my "work-kernel" I don't have to remember adding it to the USB-stick and |
32 |
keeping it consistant. So updating because of the newest graphics card driver |
33 |
is a little less trouble. |
34 |
|
35 |
|
36 |
> [..] |
37 |
> If the kernel or initrd on the USB key are compromised (which it seems |
38 |
> you're trying to protect against), they're under no obligation to follow |
39 |
> the kexec path. Once you've unlocked the LUKS partition the kimono has |
40 |
> dropped, so to speak, and they're free to do whatever malicious deeds |
41 |
> they wish. |
42 |
|
43 |
Second: a little bit more security (by obscurity...?). You are right that a |
44 |
running kernel could do a lot of harm when having access to the data. But when |
45 |
that kernel on the USB stick decrypts a trustworthy kernel from the /boot on |
46 |
HD, calls kexec on it (the /sbin/init on this boot partition will have to do |
47 |
that) and this kernel then decrypts the /-partition with another password/key- |
48 |
combination, shouldn't this help a little bit? |
49 |
|
50 |
I mean I can not prevent this potential corrupted kernel from starting and |
51 |
then accessing my /boot partition. But as long as the "attacker" did not |
52 |
invest so much work to keep this kernel alive "behind" a kexec call or |
53 |
starting some virtual machine etc. pp., the newly started kernel should take |
54 |
full control - and if something different (like another kernel from the USB- |
55 |
stick) is started, I will recognize that and don't enter the password for the |
56 |
data. |
57 |
|
58 |
So my main question here is: does it make sense to replace the first kernel by |
59 |
a trusted second one or is it too easy to hide behind such functionality? |
60 |
|
61 |
|
62 |
Of course this will not detain any serious hackers - besides they would have |
63 |
better methods like adding simple hardware hacks. But would this work as a |
64 |
protection against by-chance-hacker, getting somehow their hands on the key |
65 |
for a short time? |
66 |
|
67 |
|
68 |
|
69 |
|
70 |
> Look at bug #204830 for a start on the TPM integration. What's missing |
71 |
> right now is an initrd-usable app (not all of TrouSerS) that would |
72 |
> replace GPG in your use case, unsealing the key from the TPM and passing |
73 |
> it on to cryptsetup. I expect cryptsetup could be modified to do the |
74 |
> job itself, but that's beyond my level of knowledge right now. |
75 |
|
76 |
Thank you for that hint! I will follow it since at least my newest notebook |
77 |
now has some TPM chip inside. |
78 |
|
79 |
I already searched for some USB tokens so that they can't be copied at least. |
80 |
But that still wouldn't help with the problem of a modified initramfs which |
81 |
sends stuff over the network, f.ex. |
82 |
|
83 |
|
84 |
Thanks, |
85 |
Marcel |