GRUB2 Boot from LUKS device - Advice needed

davewuvswaffles · 2014-02-12 20:33:27

Currently, I have my laptop set to boot from UEFI booting from the ESP using EFISTUB with my / partition being btrfs encrypted with LUKS using the AES-256 cipher.

I still have two remaining vulnerabilities that I need to address:

1. Enabling UEFI's Secure Boot, using the efitools-git to ensure no other media may be used to boot my computer to protect against the 'Evil Maid' attack
2. Securing my /boot partition so that my disk is fully protected

I would like to avoid keeping my /boot partition on an external medium to avoid the complications that would arise if I were to misplace it or if it were to fall into the wrong hands.

From what I can gather, the remaining options are to either:

1. Use a minimal installation to unencrypt my /boot partition
2. Finding a way to enable my boot loader to unencrypt the /boot partition

I would like to avoid the former option if possible given that I would likely be required to use Linux From Scratch to create a minimal installation.

Searching online, I have found an GRUB2 configuration option on the GRUB2 entry on the Gentoo wiki:

GRUB_CRYPTODISK_ENABLE=y

Unfortunately, the few references to this option seem to be pointing to an unencrypted /boot partition, are running into errors, or do not report any actual success.

In regards to Arch, I found the following mentions:
https://wiki.archlinux.org/index.php/Ta … ed_.2Fboot
https://gist.github.com/buhman/4164842

Does anyone have any experience with this GRUB2 option?
I apologize if this has been asked before or is common knowledge at this point.

Thanks

Edit: Further digging has led me into the GRUB2 modules list:
http://blog.fpmurphy.com/2010/06/grub2-modules.html

Looking inside, there seems to be a module to handle encryption for the core.img:

crypto.mod

Furthermore, this module actually seems to be a dependency of the password module.

password: crypto normal

I assume that it is normally used to encrypt/decrypt a GRUB password, as seen in this example of grub-crypt:
http://www.thegeekstuff.com/2011/09/gru … d-command/

$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C

So now I know two things:

1. GRUB2 naturally supports the SHA-512 and SHA-256 algorithms
2. There is a crypto.mod built into the GRUB2 core.img; what it is actually capable of is not necessarily clear

The hunt continues.

Edit:
I took a peak in the grub files and found a cryptodisk.mod, a luks.mod and a crypto.lst file.

Looking at the list file I found it populated with many different ciphers. The second entries are the modules themselves, all contained in the i386-pc folder.

RIJINDAEL: gcry_rijndael
RIJINDAEL: gcry_rijndael
RIJINDAEL: gcry_rijndael
AES128: gcry_rijndael
AES-128: gcry_rijndael
AES-192: gcry_rijndael
AES-256: gcry_rijndael
ADLER32: adler32
CRC64: crc64
ARCFOUR: gcry_arcfour
BLOWFISH: gcry_blowfish
CAMELLIA128: gcry_camellia
CAMELLIA192: gcry_camellia
CAMELLIA256: gcry_camellia
CAST5: gcry_cast5
CRC32: gcry_crc
CRC32RFC1510: gcry_crc
CRC24RFC2440: gcry_crc
DES: gcry_des
3DES: gcry_des
DSA: gcry_dsa
ECDSA: gcry_ecc
MD4: gcry_md4
MD5: gcry_md5
RFC2268_40: gcry_rfc2268
AES: gcry_rijndael
AES192: gcry_rijndael
AES256: gcry_rijndael
RIPEMD160: gcry_rmd160
RSA: gcry_rsa
SEED: gcry_seed
SERPENT128: gcry_serpent
SERPENT192: gcry_serpent
SERPENT256: gcry_serpent
SHA1: gcry_sha1
SHA224: gcry_256
SHA256: gcry_256
SHA512: gcry_512
SHA384: gcry_512
TIGER192: gcry_tiger
TIGER: gcry_tiger
TIGER2: gcry_tiger
TWOFISH: gcry_twofish
TWOFISH128: gcry_twofish
WHIRLPOOL: gcry_whirlpool

Interesting...

Edit:

Looking at the wiki's entry on the UEFI boot process:

System switched on - Power On Self Test, or POST process.
UEFI firmware is loaded. Firmware initializes the hardware required for booting.
Firmware then reads its Boot Manager data to determine which UEFI application to be launched and from where (i.e. from which disk and partition).
Firmware then launches the UEFI application as defined in the boot entry in the firmware's boot manager.
The launched UEFI application may launch another application (in case of UEFI Shell or a boot manager like rEFInd) or the kernel and initramfs (in case of a boot loader like GRUB) depending on how the UEFI application was configured.

It seems that the decryption stage will need to take place before the third step where the firmware reads the the Boot Manager's data to determine where the boot data is located.
I believe the best place to insert the decryption would be between steps two and three, but potentially step three itself could be split so that the decryption could take place after the UEFI determines which application to launch.

I guess the next step will be downloading the GRUB2 tarball and taking a look at the source code, particularly how unencrypting a root after a successful boot is handled.

Edit:

I've downloaded the source code from GNU's site, but can't seem to find any modules well, anywhere. Even using find has turned up nothing. The only thing that I did seem to find was their example of "Hello World" written in c

Shouldn't the source for these modules be here if this is FOSS compliant?

Edit:

Never mind about the module source files, I forgot they wouldn't be ending in .mod >_<

Last edited by davewuvswaffles (2014-02-13 05:00:29)

Rexilion · 2014-02-15 20:38:58

If you manage to get SecureBoot to work, then there is no need to tamper with /boot. If someone tampers with /boot, it will not boot since SecureBoot will see that.

So I suggest you simply try to enable SecureBoot and you are done.

Arch Linux

#1 2014-02-12 20:33:27

GRUB2 Boot from LUKS device - Advice needed

#2 2014-02-15 20:38:58

Re: GRUB2 Boot from LUKS device - Advice needed

Board footer