1 |
FWIW, this doesn't *precisely* belong on -hardened, but since much of |
2 |
the audience for secured booting is the same I doubt many will complain. |
3 |
|
4 |
On Wed, Nov 18, 2009 at 12:20:13AM +0100, Marcel Meyer wrote: |
5 |
> Now I'd like to try to use the usb-key just as a generic loader for an already |
6 |
> encrypted kernel on the harddrive. The kernel/initramfs of the USB key loads |
7 |
> the LUKS-partition and instead of booting this system with the already loaded |
8 |
> kernel from the USB key it should replace the running kernel with another one |
9 |
> incl. initramfs from the harddrive using kexec from the encrypted partition. |
10 |
|
11 |
I'm following you all the way up to the kexec - what exactly are you |
12 |
trying to solve by doing that? The only approach more protected against |
13 |
physical compromise is a TPM-integrated boot where you seal the LUKS key |
14 |
to your particular BIOS/bootloader/kernel/initrd measurement, but that's |
15 |
not quite possible in the Linux world yet. |
16 |
|
17 |
If the kernel or initrd on the USB key are compromised (which it seems |
18 |
you're trying to protect against), they're under no obligation to follow |
19 |
the kexec path. Once you've unlocked the LUKS partition the kimono has |
20 |
dropped, so to speak, and they're free to do whatever malicious deeds |
21 |
they wish. You could raise the bar on that a little by using write-once |
22 |
media like an optical disc instead of a USB key, and even make it |
23 |
visually "unique" by physically modifying the disc in some manner that |
24 |
doesn't damage its readability, but you're still just engaging in an |
25 |
arms race. |
26 |
|
27 |
Look at bug #204830 for a start on the TPM integration. What's missing |
28 |
right now is an initrd-usable app (not all of TrouSerS) that would |
29 |
replace GPG in your use case, unsealing the key from the TPM and passing |
30 |
it on to cryptsetup. I expect cryptsetup could be modified to do the |
31 |
job itself, but that's beyond my level of knowledge right now. |