Re: [dm-crypt] encrypted root: prevent / detect tampering with kernel / initrd

[Arno Wagner <arno@wagner.name>]

On Mon, Dec 28, 2009 at 09:28:43PM +0100, Olivier Sessink wrote:
> Hi all,
>
> I was wondering if there are some 'common' ways to prevent tampering  
> with the unencrypted kernel and initrd in the case of an encrypted root  
> filesystem? 

No. Any "common" way would automatically become ineffective. Your 
only chance is to do something unexpected and hence uncommon.

> If somebody has access to your computer they could change  
> the initrd and kernel and make your encryption useless (e.g. store the  
> password in /boot, or send it over the network, etc. etc.). It shouldn't  
> be too hard to make this at least very difficult.

It is theoretically impossible and practically very hard.

> I was thinking along the lines of:
> - check a checksum of the MBR and partition table
=> Fake the check
> - check a checksum of the complete /boot filesystem
=> See above
> - check the pointers in the kernel system call table (detects many rootkits)
=> See above.
> - check for virtualization (any virtual rootkits)
=> Very hard and the check can be removed.
> - ...? any better ideas how to detect tampering?
>
> Obviously all of this should be done by a binary inside the encrypted  
> filesystem - everything in /boot (kernel and initrd) is not to be  
> trusted. That means we can only warn the user after the password is  
> probably gone already, but this is better than nothing.
>
> Any comments, ideas or links  ?

With an attacker competent enough to do this type of tampering
you are screwed as long as you rely on the on-disk information.

But here is something easy: Use an external boot medium for 
verification, e.g. a memory-stick installed Knoppix with some
custom check script you call manually or automatically. Keep 
the external checker system separate from the laptop. With
that the ideas you outlined above would work. You can, e.g.,
compary MBR and files in /boot to checksums or good copies.
I currently have an 8GB SuperTalent Stick with the Knoppix
DVD installed on it in my vallet. Adding packages and your own
data/programs is possible as it has a writable filesystem 
(writes get ovelayed on top of the read-only DVD image).

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier