You are not logged in.
- Topics: Active | Unanswered
#1 2015-05-31 14:25:56
- Jakkin
- Member
- From: 403 Forbidden
- Registered: 2014-10-16
- Posts: 18
GRUB security: hashing initial ramdisks
This may be in the wrong spot, I didn't know where to put it.
Is it possible to implement a hashing mechanism into GRUB to verify the integrity of its ramdisks? It's to prevent an "extended evil maid attack" like this.
I'm asking to discuss if it would even be possible to implement such a mechanism. Any ideas or comments?
Anyone who NEEDS to be TAUGHT how to interact with a computer probably shouldn't be allowed near one. -Sopwith
Offline
#2 2015-05-31 14:56:27
- Slithery
- Administrator
- From: Norfolk, UK
- Registered: 2013-12-01
- Posts: 5,776
Re: GRUB security: hashing initial ramdisks
How about chkboot for generating and comparing hashes for everything in /boot.
Also grub can now boot from an encrypted /boot partition...
It's all covered in the wiki.
Last edited by Slithery (2015-05-31 15:04:22)
Offline
#3 2015-05-31 17:28:09
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,418
Re: GRUB security: hashing initial ramdisks
Of course you can check hashes. But it's just as possible to make sure that the hashes will be the correct ones despite having modified your initramfs. Who says that after you mount your /boot partition and check hashes of kernel images and initram.gz files on that partition, that the kernel and initramfs that was booted actually came from there, or that it was unmodified before the boot process got so far as to let you mount it and check its hashes? Same goes for the bootloader, it just moves the problem into another layer, it does not change much regarding the security of anything. People can modify bootloaders just as well as initramfs images.
Never leave your bootloader and /boot unattended. Put it on a small USB with your keys and keep it in your pockets, and have an encrypted keyfile so a normal keylogger won't be sufficient to get your passphrases.
mkinitcpio hook for luks encrypted keyfile: https://bbs.archlinux.org/viewtopic.php … 1#p1502651
Edit:
It would be different if the kernel supported some kind of built-in hash or signature checking for ramdisks. But such a feature would be news to me and it wouldn't prevent someone replacing the kernel itself unless the kernel itself had to be signed too (and that checked by the higher layers as in the bios itself). I guess that's what passes as "secure boot" but not sure how practical it is,,,
Last edited by frostschutz (2015-05-31 17:43:09)
Offline