From mboxrd@z Thu Jan 1 00:00:00 1970 From: "pelzflorian (Florian Pelz)" Subject: Re: Unencrypted boot with encrypted root Date: Fri, 3 Apr 2020 21:44:23 +0200 Message-ID: <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain> References: <87ftdmi7pp.fsf@ambrevar.xyz> <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:34484) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jKSEu-0004vJ-Sj for guix-devel@gnu.org; Fri, 03 Apr 2020 15:44:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jKSEt-00022F-P7 for guix-devel@gnu.org; Fri, 03 Apr 2020 15:44:28 -0400 Received: from pelzflorian.de ([5.45.111.108]:34222 helo=mail.pelzflorian.de) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jKSEt-0001x0-98 for guix-devel@gnu.org; Fri, 03 Apr 2020 15:44:27 -0400 Content-Disposition: inline In-Reply-To: <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: Ellen Papsch Cc: guix-devel@gnu.org On Fri, Apr 03, 2020 at 05:44:13PM +0200, Ellen Papsch wrote: > To make it harder, we leave /boot encrypted. Now the attacker plants > their malware further down the stack: they replace the BIOS. Boom, you > are owned! :-) So using a single encrypted partition instead of separate /boot protects from script kiddies (siblings/=E2=80=9Cfriends=E2=80=9D?) with h= ardware access that know how to put their own grub.cfg on an unencrypted /boot partition and then wait for you to unsuspectingly use your machine. But it would still be possible for an attacker to flash or replace the motherboard=E2=80=99s UEFI, or perhaps the part of GRUB installed on the unaltered motherboard would willingly load a manipulated hard disk? Or just install a keylogger. So using the same boot partition as is done currently has Pro: script kiddie protection Con: passphrase must be entered twice; also entering the passphrase in GRUB may use the wrong keyboard layout Regards, Florian