| 1 |
Thank you for dealing with my message :-) |
| 2 |
|
| 3 |
|
| 4 |
Am Mittwoch, 18. November 2009 02:03:23 schrieb schism@×××××××××.org: |
| 5 |
> FWIW, this doesn't *precisely* belong on -hardened, but since much of |
| 6 |
> the audience for secured booting is the same I doubt many will complain. |
| 7 |
|
| 8 |
Hehe, yes. And it's a hardened system (of course). And I have hardened |
| 9 |
compiler problems ;-). Aaand there was no traffic on gentoo-hardened for about |
| 10 |
a month. We have to check if the list is still working :-) |
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
> On Wed, Nov 18, 2009 at 12:20:13AM +0100, Marcel Meyer wrote: |
| 15 |
> > Now I'd like to try to use the usb-key just as a generic loader for an |
| 16 |
> > already encrypted kernel on the harddrive. The kernel/initramfs of the |
| 17 |
> > USB key loads the LUKS-partition and instead of booting this system with |
| 18 |
> > the already loaded kernel from the USB key it should replace the running |
| 19 |
> > kernel with another one incl. initramfs from the harddrive using kexec |
| 20 |
> > from the encrypted partition. |
| 21 |
> |
| 22 |
> I'm following you all the way up to the kexec - what exactly are you |
| 23 |
> trying to solve by doing that? |
| 24 |
|
| 25 |
Well, several things. |
| 26 |
|
| 27 |
First: convenience and reliability. By having a more or less static kernel and |
| 28 |
initramfs with a small, generic subset of modules which can boot all of my |
| 29 |
computers, I can reuse this USB stick (with several key/password-combinations) |
| 30 |
for more than one machine. And when updating the kernel and/or the modules on |
| 31 |
my "work-kernel" I don't have to remember adding it to the USB-stick and |
| 32 |
keeping it consistant. So updating because of the newest graphics card driver |
| 33 |
is a little less trouble. |
| 34 |
|
| 35 |
|
| 36 |
> [..] |
| 37 |
> If the kernel or initrd on the USB key are compromised (which it seems |
| 38 |
> you're trying to protect against), they're under no obligation to follow |
| 39 |
> the kexec path. Once you've unlocked the LUKS partition the kimono has |
| 40 |
> dropped, so to speak, and they're free to do whatever malicious deeds |
| 41 |
> they wish. |
| 42 |
|
| 43 |
Second: a little bit more security (by obscurity...?). You are right that a |
| 44 |
running kernel could do a lot of harm when having access to the data. But when |
| 45 |
that kernel on the USB stick decrypts a trustworthy kernel from the /boot on |
| 46 |
HD, calls kexec on it (the /sbin/init on this boot partition will have to do |
| 47 |
that) and this kernel then decrypts the /-partition with another password/key- |
| 48 |
combination, shouldn't this help a little bit? |
| 49 |
|
| 50 |
I mean I can not prevent this potential corrupted kernel from starting and |
| 51 |
then accessing my /boot partition. But as long as the "attacker" did not |
| 52 |
invest so much work to keep this kernel alive "behind" a kexec call or |
| 53 |
starting some virtual machine etc. pp., the newly started kernel should take |
| 54 |
full control - and if something different (like another kernel from the USB- |
| 55 |
stick) is started, I will recognize that and don't enter the password for the |
| 56 |
data. |
| 57 |
|
| 58 |
So my main question here is: does it make sense to replace the first kernel by |
| 59 |
a trusted second one or is it too easy to hide behind such functionality? |
| 60 |
|
| 61 |
|
| 62 |
Of course this will not detain any serious hackers - besides they would have |
| 63 |
better methods like adding simple hardware hacks. But would this work as a |
| 64 |
protection against by-chance-hacker, getting somehow their hands on the key |
| 65 |
for a short time? |
| 66 |
|
| 67 |
|
| 68 |
|
| 69 |
|
| 70 |
> Look at bug #204830 for a start on the TPM integration. What's missing |
| 71 |
> right now is an initrd-usable app (not all of TrouSerS) that would |
| 72 |
> replace GPG in your use case, unsealing the key from the TPM and passing |
| 73 |
> it on to cryptsetup. I expect cryptsetup could be modified to do the |
| 74 |
> job itself, but that's beyond my level of knowledge right now. |
| 75 |
|
| 76 |
Thank you for that hint! I will follow it since at least my newest notebook |
| 77 |
now has some TPM chip inside. |
| 78 |
|
| 79 |
I already searched for some USB tokens so that they can't be copied at least. |
| 80 |
But that still wouldn't help with the problem of a modified initramfs which |
| 81 |
sends stuff over the network, f.ex. |
| 82 |
|
| 83 |
|
| 84 |
Thanks, |
| 85 |
Marcel |
Archives