| 1 |
FWIW, this doesn't *precisely* belong on -hardened, but since much of |
| 2 |
the audience for secured booting is the same I doubt many will complain. |
| 3 |
|
| 4 |
On Wed, Nov 18, 2009 at 12:20:13AM +0100, Marcel Meyer wrote: |
| 5 |
> Now I'd like to try to use the usb-key just as a generic loader for an already |
| 6 |
> encrypted kernel on the harddrive. The kernel/initramfs of the USB key loads |
| 7 |
> the LUKS-partition and instead of booting this system with the already loaded |
| 8 |
> kernel from the USB key it should replace the running kernel with another one |
| 9 |
> incl. initramfs from the harddrive using kexec from the encrypted partition. |
| 10 |
|
| 11 |
I'm following you all the way up to the kexec - what exactly are you |
| 12 |
trying to solve by doing that? The only approach more protected against |
| 13 |
physical compromise is a TPM-integrated boot where you seal the LUKS key |
| 14 |
to your particular BIOS/bootloader/kernel/initrd measurement, but that's |
| 15 |
not quite possible in the Linux world yet. |
| 16 |
|
| 17 |
If the kernel or initrd on the USB key are compromised (which it seems |
| 18 |
you're trying to protect against), they're under no obligation to follow |
| 19 |
the kexec path. Once you've unlocked the LUKS partition the kimono has |
| 20 |
dropped, so to speak, and they're free to do whatever malicious deeds |
| 21 |
they wish. You could raise the bar on that a little by using write-once |
| 22 |
media like an optical disc instead of a USB key, and even make it |
| 23 |
visually "unique" by physically modifying the disc in some manner that |
| 24 |
doesn't damage its readability, but you're still just engaging in an |
| 25 |
arms race. |
| 26 |
|
| 27 |
Look at bug #204830 for a start on the TPM integration. What's missing |
| 28 |
right now is an initrd-usable app (not all of TrouSerS) that would |
| 29 |
replace GPG in your use case, unsealing the key from the TPM and passing |
| 30 |
it on to cryptsetup. I expect cryptsetup could be modified to do the |
| 31 |
job itself, but that's beyond my level of knowledge right now. |
Archives