Re: full drive encryption - check /boot for manipulation

On Thu, Oct 18, 2007 at 09:51:45PM +0200, Michael Heide wrote:
> I was concerned about the fact, that there is one simple way to circumvent the hole encryption system if someone has physical access to the pc: to simply replace the kernel or initrd at the boot partition to include some trojan horses, or something else...

Filesystem encryption does *not* protect against trojan horses and similar kind of malware. It serves other purposes, for example prevention of offline attacks and data leakage.

In theory, any file in use in the running system (and therefore unencrypted) can be targeted by a trojan horse. Even if you are able to encrypt the boot partition what about the code in the MBR?

If you are concerned about the physical security of a system you can't solve it just with software. Rather look for access restrictions to the hardware, chassis lock and intrusion sensors, disabled alternative boot methods, restrictions on BIOS and bottloader level.

> It simply checks the md5sum of all files in /boot and if there are new or vanished files.
> It has to be run after every kernel update, needless to say.

This is better achieved with integrity checkers like aide or tripwire. Note that the difficult task is not to create the checksums but to store it in a secure but accessible location.

Even an integrity check during kernel boot is no help to ensure a trusted boot process (consider virtualization attacks at the bios/boot loader level).
An older but good starting point for this topic is http://www.cis.upenn.edu/~waa/aegis.ps
Also have a look what the TCG made out of it.

Michel

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: Digital signature