From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ellen Papsch Subject: Re: Unencrypted boot with encrypted root Date: Sat, 04 Apr 2020 10:12:46 +0200 Message-ID: References: <87ftdmi7pp.fsf@ambrevar.xyz> <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de> <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:45701) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jKdv9-00028B-PR for guix-devel@gnu.org; Sat, 04 Apr 2020 04:12:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jKdv7-0003AB-IK for guix-devel@gnu.org; Sat, 04 Apr 2020 04:12:50 -0400 Received: from dedi718.your-server.de ([78.46.1.118]:43350) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jKdv7-00039b-9H for guix-devel@gnu.org; Sat, 04 Apr 2020 04:12:49 -0400 In-Reply-To: <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: "pelzflorian (Florian Pelz)" Cc: guix-devel@gnu.org Am Freitag, den 03.04.2020, 21:44 +0200 schrieb pelzflorian (Florian Pelz): > > So using a single encrypted partition instead of separate /boot > protects from script kiddies (siblings/“friends”?) with hardware > access that know how to put their own grub.cfg on an unencrypted > /boot > partition and then wait for you to unsuspectingly use your machine. > Yes, it is better known as "evil maid attack", because the original thought included a hotel room[0]. > But it would still be possible for an attacker to flash or replace > the > motherboard’s UEFI, or perhaps the part of GRUB installed on the > unaltered motherboard would willingly load a manipulated hard disk? > Or just install a keylogger. > Yes, though it should not be so easy like with unprotected /boot partition. You have these boot stages in a modern UEFI system (just numbered sequentially): - hardware initialization - stage 0, which is a minimal bootloader including the Secure Boot key on ROM. - stage 1, which is Management Engine on Intel platforms or Platform Security Processor on AMD platforms. Some of it is on ROM, while most can be (not easily) flashed. ME is a Minix derivate with its own little processor (ARM IIRC). - stage 2, which is your UEFI BIOS. - stage 3, which is the program that gets put in the /boot/efi directory and registered with the BIOS, i.e. GRUB. - stage 4-n, Guix! If you are interested in the flaws of stage 1, check out [1] and [2]. [3] is very interesting too, as it not only presents hardware flaws but also suggests possible way forward. (These are the same video URLs I initially posted.) Breaking any earlier stage gives you control over the later stages. The general gist is that all common (consumer) hardware is flawed and with it the software that runs on it. That makes free hardware ever more important. It's also why people are interested in breaking stage 1; not so much for attack, but because it is closely linked to the hardware and prevents their freedom. Regards, Ellen [0] https://en.wikipedia.org/wiki/Evil_maid_attack [1] https://media.ccc.de/v/36c3-10694-intel_management_engine_deep_dive [2] https://media.ccc.de/v/thms-38-dissecting-the-amd-platform-security-processor [3] https://media.ccc.de/v/36c3-10690-open_source_is_insufficient_to_solve_trust_problems_in_hardware