From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1KPcPC-0006Tx-A4 for mharc-grub-devel@gnu.org; Sun, 03 Aug 2008 08:09:46 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1KPcP9-0006Q1-Kz for grub-devel@gnu.org; Sun, 03 Aug 2008 08:09:43 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1KPcP8-0006Oi-Q3 for grub-devel@gnu.org; Sun, 03 Aug 2008 08:09:43 -0400 Received: from [199.232.76.173] (port=37434 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1KPcP8-0006OG-Gn for grub-devel@gnu.org; Sun, 03 Aug 2008 08:09:42 -0400 Received: from aybabtu.com ([69.60.117.155]:47647) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1KPcP8-0006j9-4j for grub-devel@gnu.org; Sun, 03 Aug 2008 08:09:42 -0400 Received: from [192.168.10.10] (helo=thorin) by aybabtu.com with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1KPcHx-0001Vl-7V for grub-devel@gnu.org; Sun, 03 Aug 2008 14:02:17 +0200 Received: from rmh by thorin with local (Exim 4.63) (envelope-from ) id 1KPcO1-0001FK-8w for grub-devel@gnu.org; Sun, 03 Aug 2008 14:08:33 +0200 Date: Sun, 3 Aug 2008 14:08:33 +0200 From: Robert Millan To: The development of GRUB 2 Message-ID: <20080803120833.GA4302@thorin> References: <5A50C2D990914B3F8A73A02D520E8DED@fz> <1216918145.22586.14.camel@dv> <20080725210840.GA19505@thorin> <1217022420.3957.3.camel@dv> <20080725221050.GA31179@thorin> <1217034532.6376.13.camel@dv> <20080727121914.GA11242@thorin> <1217176183.4029.20.camel@ct> <20080727183737.GB16393@thorin> <489591FF.3070601@isaac.cedarswampstudios.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <489591FF.3070601@isaac.cedarswampstudios.org> Organization: free as in freedom X-Message-Flag: Worried about Outlook viruses? Switch to Thunderbird! www.mozilla.com/thunderbird X-Debbugs-No-Ack: true User-Agent: Mutt/1.5.13 (2006-08-11) X-detected-kernel: by monty-python.gnu.org: Genre and OS details not recognized. Subject: Re: [PATCH] use UUIDs for cross-disk installs (Re: Issue with boot != root and chainloading) X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The development of GRUB 2 List-Id: The development of GRUB 2 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2008 12:09:43 -0000 On Sun, Aug 03, 2008 at 07:09:51AM -0400, Isaac Dupree wrote: > > Is using UUIDs alone resilient > against this situation: > An attacker finds out the > UUIDs on your hard-disk. S/he > makes a USB drive or CD (that > preferably looks innocuous > when plugged into a running > system), but has a UUID on it > equal to that of the GRUB boot > partition (which might not be > mounted on a running system). > Anyway, when the system > (core.img) boots, can it tell > the difference well enough to > prefer the GRUB that's on the > disk that it was originally > installed to? biosdisk prefers hard disks over floppies. Of course, usb drives are generally identified as hard disks, but this problem will go away when we get rid of the BIOS and access devices directly. Then again, on BIOS we only use UUIDs when the situation is desperate, like on a cross-disk install. If you're concerned about security and/or reliability, don't do cross-disk installs. > (Equally well, > you could have a GRUB core.img > and /boot on a CD or > unwriteable USB drive that > you're trying to boot when you > don't entirely trust the > computer's hard disk.) > Furthermore, perhaps all the > modules that the attacker > provided are the same as the > genuine ones; only grub.cfg > differs... only the most > paranoid of us would try to > put a hash in core.img that > complains whenever grub.cfg > has changed from the original > state? This line of thinking is what is commonly used to justify draconian measures (i.e. Treacherous Computing) but it doesn't make any sense. If your security policy is such that you don't trust users with physical access, try any of the following: - Crypt your whole disk. Have your /boot in a usb drive you carry with you. - Remove your CD drive and unexpose USB slots (use locks or if really paranoid sink your board in concrete). So-called "Trusted" Computing is just a blatant excuse to steal your music and your documents. Don't drink the kool aid. -- Robert Millan The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and how) you may access your data; but nobody's threatening your freedom: we still allow you to remove your data and not access it at all."