From: Alex Elsayed <eternaleye@gmail.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Integrate cryptsetup in bootloader
Date: Wed, 20 Nov 2013 01:09:11 -0800 [thread overview]
Message-ID: <l6hu7e$j1t$1@ger.gmane.org> (raw)
In-Reply-To: 1384831653.18771.33.camel@heisenberg.scientia.net
Christoph Anton Mitterer wrote:
> On Tue, 2013-11-19 at 09:20 +0700, Trinh Van Thanh wrote:
>> Unencrypted boot partition is not safe for some special requirements.
>> So I want to increase the secure level for full disk encryption using
>> dm-crypt. Can I integrate cryptsetup in bootloader (example GRUB2) or
>> is there any other solutions?
>
> Integrating it in the bootloader doesn't really help you since then the
> bootloader is the weak point.
>
> In the end you'll always need an unencrypted kernel/initrd/bootloader...
> so what one can do is booting from a USB stick,.. which you have always
> with you... and then have a fully encrypted root-fs.
Integrating with the bootloader isn't a _solution_, but it is a
_mitigation_.
If you're using GRUB2 in a traditional (non-EFI) boot configuration, you can
get away with leaving VERY little space for an attacker to work in. In
particular, the space before the protective MBR (which is filled by grub's
core, and not especially useful to tamper with) and the BIOS Boot Partition
it uses to store the more full image (EF02 in gdisk).
By creating a truly minimal grub image (cryptdisk, your boot filesystem
driver, the linux loader, maybe a couple other things) in which every part
is necessary to the boot process, and placing the BBP at the end of the
disk, you can force the partition to be the exact minimal size that will
hold that data by resizing the LUKS partition.
That way, tampering in a manner that WON'T cause the boot process to fail
entirely becomes exceedingly difficult, and something with sufficient
complexity to patch the kernel becomes prohibitive.
I used to use GRUB2's cryptdisk support for a while, and while it was tetchy
to work with it does function - if one is familiar with GRUB2's scripting
syntax, coreboot's (very) brief overview is sufficient:
http://www.coreboot.org/GRUB2#LUKS_disks_openning
next prev parent reply other threads:[~2013-11-20 9:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-19 2:20 [dm-crypt] Integrate cryptsetup in bootloader Trinh Van Thanh
2013-11-19 2:52 ` Arno Wagner
2013-11-19 3:42 ` Ralf Ramsauer
2013-11-19 4:20 ` Arno Wagner
2013-11-19 13:38 ` Ralf Ramsauer
2013-11-20 15:34 ` Arno Wagner
2013-11-27 2:16 ` Trinh Van Thanh
2013-11-27 13:45 ` Ralf Ramsauer
2013-11-19 23:28 ` Sven Eschenberg
2013-11-20 0:28 ` Ralf Ramsauer
2013-11-20 1:13 ` Sven Eschenberg
2013-11-20 9:24 ` Alex Elsayed
2013-11-19 3:27 ` Christoph Anton Mitterer
2013-11-20 9:09 ` Alex Elsayed [this message]
2013-11-20 9:14 ` Alex Elsayed
2013-11-19 4:56 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='l6hu7e$j1t$1@ger.gmane.org' \
--to=eternaleye@gmail.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox