[dm-crypt] Integrate cryptsetup in bootloader

Sven Eschenberg sven at whgl.uni-frankfurt.de
Wed Nov 20 00:28:18 CET 2013


Aside from the fact that grub2 does actually support loading the kernel
from an encrypted disk, you could still sign your grub executeable for
secure boot.

Then again, can we really trust SecureBoot and the UEFI firmware not being
tampered with - that will most probably be the major question on modern
systems.

Regards

-Sven


On Tue, November 19, 2013 05:20, Arno Wagner wrote:
> On Tue, Nov 19, 2013 at 04:42:55 CET, Ralf Ramsauer wrote:
>> Hi,
>>
>> just an idea, but shouldn't it be possible to implement encryption
>> algorithms incl. LUKS to GRUB?
>
> Possible, yes. But it does not help. Instead of attacking the
> kernel image or the initrd, an attacker could just attack the grub
> executable, which could then patch the kernel or the initrd.
>
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
> 9718
> ----
> There are two ways of constructing a software design: One way is to make
> it
> so simple that there are obviously no deficiencies, and the other way is
> to
> make it so complicated that there are no obvious deficiencies. The first
> method is far more difficult.  --Tony Hoare
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>




More information about the dm-crypt mailing list