On Wed, Jan 6, 2021 at 6:19 AM Jan Engelhardt
On Wednesday 2021-01-06 13:47, Vojtěch Zeisek wrote:
It's very interesting. Looks reasonable. I just wonder about two points: 1) What are consequences (if any) for fully encrypted systems, i.e. now encrypted LVM containing / and swap, with only unencrypted /boot/efi?
I see little difference. Either the kernel+initramfs is located in an unencrypted portion and does the unlock procedure, or else the bootloader needs to understand crypto volumes.
I think the initramfs should be secured other ways. [1] The kernel and initramfs aren't secrets, don't need to be encrypted. We encrypt them because by doing so we make them essentially impossible to attack. But what we actually care about is not confidentiality, but rather integrity and authenticity. One option is FAT. This is simple, widely supported by many bootloaders and even UEFI firmware. Another option is Btrfs. GRUB offers no journal replay for ext3/4 and XFS. Therefore there are various tricks or just luck, to try to avoid cases where journal reply might be needed at boot time, possibly rendering the system unbootable because the bootloader has an inconsistent view of the file system, lacking journal replay in such cases. Btrfs has no journal, thus doesn't run into this difficulty. You'll get either the old or the new boot configuration following a crash. There is the EFI fs [2] project. Turn GRUB file system drivers into EFI drivers. Viola, the UEFI firmware now understands Btrfs, but you don't need GRUB. And for BIOS, extlinux supports Btrfs. [1] We have this same problem with the hibernation image. I wonder if the authentication component of this technique could be used to secure a locally generated initramfs? It might require a small generic initramfs in the kernel, to facilitate obtaining a sealed key from a TPM or "yubikey" in order to authenticate the real initramfs. Or possibly just ship a large generic signed initramfs, generated distro-side. https://lkml.org/lkml/2019/7/10/601 [2] https://github.com/pbatard/efifs -- Chris Murphy