From mboxrd@z Thu Jan  1 00:00:00 1970
From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Subject: Re: Unencrypted boot with encrypted root
Date: Fri, 3 Apr 2020 21:44:23 +0200
Message-ID: <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain>
References: <87ftdmi7pp.fsf@ambrevar.xyz>
 <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:34484)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <pelzflorian@pelzflorian.de>) id 1jKSEu-0004vJ-Sj
 for guix-devel@gnu.org; Fri, 03 Apr 2020 15:44:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <pelzflorian@pelzflorian.de>) id 1jKSEt-00022F-P7
 for guix-devel@gnu.org; Fri, 03 Apr 2020 15:44:28 -0400
Received: from pelzflorian.de ([5.45.111.108]:34222 helo=mail.pelzflorian.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <pelzflorian@pelzflorian.de>)
 id 1jKSEt-0001x0-98
 for guix-devel@gnu.org; Fri, 03 Apr 2020 15:44:27 -0400
Content-Disposition: inline
In-Reply-To: <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org
Sender: "Guix-devel"
 <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
To: Ellen Papsch <ellen.papsch@wine-logistix.de>
Cc: guix-devel@gnu.org

On Fri, Apr 03, 2020 at 05:44:13PM +0200, Ellen Papsch wrote:
> To make it harder, we leave /boot encrypted. Now the attacker plants
> their malware further down the stack: they replace the BIOS. Boom, you
> are owned! :-)

So using a single encrypted partition instead of separate /boot
protects from script kiddies (siblings/=E2=80=9Cfriends=E2=80=9D?) with h=
ardware
access that know how to put their own grub.cfg on an unencrypted /boot
partition and then wait for you to unsuspectingly use your machine.

But it would still be possible for an attacker to flash or replace the
motherboard=E2=80=99s UEFI, or perhaps the part of GRUB installed on the
unaltered motherboard would willingly load a manipulated hard disk?
Or just install a keylogger.

So using the same boot partition as is done currently has

Pro: script kiddie protection

Con: passphrase must be entered twice; also entering the passphrase in
GRUB may use the wrong keyboard layout

Regards,
Florian