Hi all,
I was wondering if there are some 'common' ways to prevent tampering
with the unencrypted kernel and initrd in the case of an encrypted root
filesystem? If somebody has access to your computer they could change
the initrd and kernel and make your encryption useless (e.g. store the
password in /boot, or send it over the network, etc. etc.). It shouldn't
be too hard to make this at least very difficult.
I was thinking along the lines of:
- check a checksum of the MBR and partition table
- check a checksum of the complete /boot filesystem
- check the pointers in the kernel system call table (detects many rootkits)
- check for virtualization (any virtual rootkits)
- ...? any better ideas how to detect tampering?
Obviously all of this should be done by a binary inside the encrypted
filesystem - everything in /boot (kernel and initrd) is not to be
trusted. That means we can only warn the user after the password is
probably gone already, but this is better than nothing.
Any comments, ideas or links ?
regards,
Olivier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
