Re: RFC: entering luks password on grub level for devices without keyboards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 20, 2020 at 1:50 AM Petr Pisar <ppisar@xxxxxxxxxx> wrote:
>
> On Thu, Mar 19, 2020 at 12:59:01PM -0600, Chris Murphy wrote:
> > On Thu, Mar 19, 2020 at 11:53 AM Marius Schwarz <fedoradev@xxxxxxxxxxxx> wrote:
> > >
> > > Am 19.03.20 um 17:11 schrieb Michael Cronenworth:
> > > > On 3/19/20 11:04 AM, Marius Schwarz wrote:
> > > >> correct and thats the main issue, as long you have grub where you can
> > > >> edit the kernel line to start in runlevel 1.
> > > >> This makes the encryption null and void.
> > > >
> > > > Adding a grub password will prevent those without it from editing your
> > > > boot parameters. By default you can still boot without the grub
> > > > password. Does that help?
> > >
> > > It would solve a problem.
> > >
> > > - does it prevent updates ( after booting into rl 5 ) of grub?
> > > - where is the passcode stored?
> >
> > grub.cfg or user.cfg contains the hashed password
> >
> > https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Password_protection_of_GRUB_menu
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password
> >
> > But if the attacker has physical access to the computer, they can
> > mount /boot/efi or /boot where this file is stored; and remove the
> > password requirement.
>
> Not at all. GRUB code and configuration are protected by TPM measurement. If an
> attacker tampers them, decrypting LUKS will fail on a missing or wrong passphrase.

I wasn't assuming measured boot; but in that case it provides better
protection without needing the locked up kiosk setup. But none of this
is really easy to setup right now, quite a lot of people have
computers without a TPM.

-- 
Chris Murphy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux