full drive encryption - check /boot for manipulation

Hi,
I recently installed debian etch with the full-drive encryption option the installer offers. Now everything but the boot partition is encrypted.

I was concerned about the fact, that there is one simple way to circumvent the hole encryption system if someone has physical access to the pc: to simply replace the kernel or initrd at the boot partition to include some trojan horses, or something else...

I do not know of anything in a standard debian installation, which monitors this, so I've writen some little scripts for this purpose :-) It's more or less an idea / proof of concept for now, there are no checks in it. For example if /boot has to be mounted before updating etc... nor it's immune against manipulation for its own, e.g. the modified initrd can simply update the bootmd5 database by its own ;-) ...

It simply checks the md5sum of all files in /boot and if there are new or vanished files. It has to be run after every kernel update, needless to say.

No, I know I'm not a security expert. So please tell me, If I'm completely wrong :-). For any answer to this list, please CC me, I'm not a list member (for now).

Sincerely
Michael Heide

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/octet-stream attachment: checkboot.tar.gz