[dm-crypt] Integrate cryptsetup in bootloader
eternaleye at gmail.com
Wed Nov 20 10:09:11 CET 2013
Christoph Anton Mitterer wrote:
> On Tue, 2013-11-19 at 09:20 +0700, Trinh Van Thanh wrote:
>> Unencrypted boot partition is not safe for some special requirements.
>> So I want to increase the secure level for full disk encryption using
>> dm-crypt. Can I integrate cryptsetup in bootloader (example GRUB2) or
>> is there any other solutions?
> Integrating it in the bootloader doesn't really help you since then the
> bootloader is the weak point.
> In the end you'll always need an unencrypted kernel/initrd/bootloader...
> so what one can do is booting from a USB stick,.. which you have always
> with you... and then have a fully encrypted root-fs.
Integrating with the bootloader isn't a _solution_, but it is a
If you're using GRUB2 in a traditional (non-EFI) boot configuration, you can
get away with leaving VERY little space for an attacker to work in. In
particular, the space before the protective MBR (which is filled by grub's
core, and not especially useful to tamper with) and the BIOS Boot Partition
it uses to store the more full image (EF02 in gdisk).
By creating a truly minimal grub image (cryptdisk, your boot filesystem
driver, the linux loader, maybe a couple other things) in which every part
is necessary to the boot process, and placing the BBP at the end of the
disk, you can force the partition to be the exact minimal size that will
hold that data by resizing the LUKS partition.
That way, tampering in a manner that WON'T cause the boot process to fail
entirely becomes exceedingly difficult, and something with sufficient
complexity to patch the kernel becomes prohibitive.
I used to use GRUB2's cryptdisk support for a while, and while it was tetchy
to work with it does function - if one is familiar with GRUB2's scripting
syntax, coreboot's (very) brief overview is sufficient:
More information about the dm-crypt