From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.speedxs.nl (smtp.speedxs.nl [83.98.255.13]) by mail.saout.de (Postfix) with ESMTP for ; Mon, 28 Dec 2009 21:29:14 +0100 (CET) Received: from cort.fakenet (unknown [83.98.244.209]) by smtp.speedxs.nl (Postfix) with ESMTP id 6A962B for ; Mon, 28 Dec 2009 21:29:11 +0100 (CET) Received: from [192.168.0.191] (uitsmijter.fakenet [192.168.0.191]) by cort.fakenet (Postfix) with ESMTP id E6674BA03F for ; Mon, 28 Dec 2009 21:28:43 +0100 (CET) Message-ID: <4B3914FB.7060008@gmail.com> Date: Mon, 28 Dec 2009 21:28:43 +0100 From: Olivier Sessink MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [dm-crypt] encrypted root: prevent / detect tampering with kernel / initrd List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Hi all, I was wondering if there are some 'common' ways to prevent tampering with the unencrypted kernel and initrd in the case of an encrypted root filesystem? If somebody has access to your computer they could change the initrd and kernel and make your encryption useless (e.g. store the password in /boot, or send it over the network, etc. etc.). It shouldn't be too hard to make this at least very difficult. I was thinking along the lines of: - check a checksum of the MBR and partition table - check a checksum of the complete /boot filesystem - check the pointers in the kernel system call table (detects many rootkits) - check for virtualization (any virtual rootkits) - ...? any better ideas how to detect tampering? Obviously all of this should be done by a binary inside the encrypted filesystem - everything in /boot (kernel and initrd) is not to be trusted. That means we can only warn the user after the password is probably gone already, but this is better than nothing. Any comments, ideas or links ? regards, Olivier