[SOLVED] How secure is a initcpio hook for blocking boot

atertillic · 2014-08-18 20:14:33

Hi.

I'm trying to secure my laptop with a yubikey. I don't want to use full disk encryption, so without the plugged yubikey (and a wrong fallback password) the boot process should lock the boot process. I have found a good post on how to create a custom hook for this purpose.

My hook is a very simple authentification script. The challenge for the yubikey doesn't change. It is hard coded in the script as well as the expected response and the fallback password (as hashes). If unsuccessful, the script reboots after a timeout with

echo 1 > /proc/sys/kernel/sysrq 
echo b > /proc/sysrq-trigger

(A simple "exit" caused a kernel panic.)

My question is now: how secure is this method to stop the boot process? Could this script be bypassed? I'm using UEFI without bootloader. The bios is password protected.

Thanks for your input.

Last edited by atertillic (2014-08-20 14:14:12)

ewaller · 2014-08-18 20:53:55

It's not, unless there is any other way to boot your computer. i.e. no USB or optical disk options that are enabled. Also the BIOS/EFI needs to be locked down.

Furthermore, If an adversary has physical access and the drives are not encrypted, there is no protection.

falconindy · 2014-08-18 20:57:50

If an attacker were capable of getting to the BIOS or bootloader (password or not), they could just as easily physically remove the disk and attach it to another machine. They'll be happy to know that it's unencrypted.

atertillic · 2014-08-18 23:38:36

Ok, if someone is physically removing my disk, he has access to my unencrypted root. That's OK, I'm using an encrypted partition for the parts of my data that I'm considering worthy enough to be protected. My system is rather boring, that's why I think that a full system encryption is a bit of an overkill.
If the only option to gain access to my laptop would be installing another harddrive, it would be fine for me.
I have set the administration password in the bios. The only way to change the boot order is through bios access. At least what I'm aware of. USB and network boot options are disabled. So the bios always loads the efistub with my authentication hook. Do I have to protect the init script somehow to make sure that the authentication is executed? Is it still possible to gain access to my bootloader? Is the bios password not sufficient? Do I have to additionally lock down the bootloader and/or the bios somehow?

Strike0 · 2014-08-19 12:41:26

Not much more to do with the bios like that. A malicious software would only need write permissions to /boot to disable your script. One thing you can do to protect your initramfs/script is figuring out how to setup secureboot for it: http://www.rodsbooks.com/efi-bootloader … eboot.html
However, your yubikey solution is non-standard; an attack would have to be targeted to it (or at least an Arch initramfs in general). Since you are not worried about encrypting your data against physical theft, I'd say that time might be better invested in securing your online apps against things like the typical "drive-by-download" attack types .. all the tinkering and passwords you apply at boot don't matter, if you then surf with root.

atertillic · 2014-08-19 20:16:52

I think I'll pass on secureboot. Just wanted to make sure that the script isn't useless because of a security setting I didn't know about. Thanks for the help!

Arch Linux

#1 2014-08-18 20:14:33

[SOLVED] How secure is a initcpio hook for blocking boot

#2 2014-08-18 20:53:55

Re: [SOLVED] How secure is a initcpio hook for blocking boot

#3 2014-08-18 20:57:50

Re: [SOLVED] How secure is a initcpio hook for blocking boot

#4 2014-08-18 23:38:36

Re: [SOLVED] How secure is a initcpio hook for blocking boot

#5 2014-08-19 12:41:26

Re: [SOLVED] How secure is a initcpio hook for blocking boot

#6 2014-08-19 20:16:52

Re: [SOLVED] How secure is a initcpio hook for blocking boot

Board footer