1

When using a full disk encryption, an unencrypted /boot partition is usually required to store bootloader and pre-boot environment.

These initcpio or initramfs images need to be loaded before decryption happens, thus they are accessible to the (evil maid) attacker, who can replace them with their own, or sneakily modify them to replace included ssh server or tty console to leak the decryption passphrase/key to the outside world.

What would be the ideal way to prevent (or detect) tampering with contents of /boot? Rolling our own signing key, signing the /boot images and hoping there are no bugs within motherboard implementations' of BIOS, secure boot & security passphrases that would allow (evil maid) attacker to enroll their own key?

PGP signing the images, and null-ing the memory and stopping the system when we detect system was unlocked & loaded by initcpio/initramfs with incorrect signature?

Even TPM tools (like Clevis) only provide protection once system is already set-up and running. How would one ensure trust once TPM has been cleared, such as after firmware upgrade?

Or is the only reliable protection providing our own /boot externally each time we want to boot the system after a power-off?

Improve this question
2
  • 1
    You seem to be unaware of TPM Platform Configuration Registers (PCRs). Reading this question and its answers might be helpful. Other than that, the evil maid attack is a physical attack on an unattended device, so do not let the device be unattended without additional protection. In other words, if you don't carry the laptop with you, put it into a safe when not using it. Consider personalized stickers and similar measures to make tampering and device replacement easily detectable. Commented Oct 22, 2024 at 5:40
  • Protection against evil maid inherently implies you leave the device unattended. Additionally, this isn't a problem limited to laptops as you suggest so physical oversight is not possible at all times. Additionally, TPM implementation is dependent on hardware manufacturer, so you would be relying on non-buggy implementation that doesn't leak keys or allow side channel browsing of the registers. What will you do when evil maid purges the TPM registers? What you wrote is not helpful, nor related to the question asked. Commented Oct 22, 2024 at 9:09

1 Answer 1

Reset to default
1

Using Secure boot, only a bootloader that has been signed with a key that you explicitly trust (and which can be hidden, irretrievably, in memory that can't be read to retrieve that key, in the TPM), can boot.

So, at some point you set up a signing key, install it into the TPM, say "I trust this bootloader. It cannot be made to do things like install a keylogger prior to booting into Linux!", thus sign the bootloader.

The bootloader then could be configured to only accept a unified linux kernel and initrd images that you signed, as well.

That, by the way, is a pretty standard thing to do – Windows does it, and many "corporate-y" Linux distros do it by default or can do it – Ubuntu, Fedora and Redhat included.

How would one ensure trust once TPM has been cleared, such as after firmware upgrade?

You don't. A firmware upgrade would never clear the TPM. The TPM is, by definition of what it is, something that should not be touched by a firmware update; in fact, it should be immutable to the firmware (that's the point!). It's the root of trust – you can't modify it. The moment you do, you lose trust, and need to start from zero.

On top of what I describe above, measured boot is the idea of your operating system actually being able to verify that, yes, the first-stage bootloader passed signature verification against this particular key, and yes, the the second-stage bootloader or operating system image passed signature verification against the key and so on.

This involves a bit more interaction with the TPM. Matthew Garrett has some instructional videos on the topic.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.