On Mon, Dec 28, 2009 at 09:28:43PM +0100, Olivier Sessink wrote: > Hi all, > > I was wondering if there are some 'common' ways to prevent tampering > with the unencrypted kernel and initrd in the case of an encrypted root > filesystem? No. Any "common" way would automatically become ineffective. Your only chance is to do something unexpected and hence uncommon. > If somebody has access to your computer they could change > the initrd and kernel and make your encryption useless (e.g. store the > password in /boot, or send it over the network, etc. etc.). It shouldn't > be too hard to make this at least very difficult. It is theoretically impossible and practically very hard. > I was thinking along the lines of: > - check a checksum of the MBR and partition table => Fake the check > - check a checksum of the complete /boot filesystem => See above > - check the pointers in the kernel system call table (detects many rootkits) => See above. > - check for virtualization (any virtual rootkits) => Very hard and the check can be removed. > - ...? any better ideas how to detect tampering? > > Obviously all of this should be done by a binary inside the encrypted > filesystem - everything in /boot (kernel and initrd) is not to be > trusted. That means we can only warn the user after the password is > probably gone already, but this is better than nothing. > > Any comments, ideas or links ? With an attacker competent enough to do this type of tampering you are screwed as long as you rely on the on-disk information. But here is something easy: Use an external boot medium for verification, e.g. a memory-stick installed Knoppix with some custom check script you call manually or automatically. Keep the external checker system separate from the laptop. With that the ideas you outlined above would work. You can, e.g., compary MBR and files in /boot to checksums or good copies. I currently have an 8GB SuperTalent Stick with the Knoppix DVD installed on it in my vallet. Adding packages and your own data/programs is possible as it has a writable filesystem (writes get ovelayed on top of the read-only DVD image). Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
