[dm-crypt] Integrate cryptsetup in bootloader
ralf+dm at ramses-pyramidenbau.de
Wed Nov 20 01:28:18 CET 2013
On 11/20/2013 12:28 AM, Sven Eschenberg wrote:
> Aside from the fact that grub2 does actually support loading the kernel
> from an encrypted disk, you could still sign your grub executeable for
> secure boot.
And who will verify authenticity?
And where do you want to store the public key for verification?
> Then again, can we really trust SecureBoot and the UEFI firmware not being
> tampered with - that will most probably be the major question on modern
Absolutely. But nevertheless, you always will have to trust a certain
part of your system.
> On Tue, November 19, 2013 05:20, Arno Wagner wrote:
>> On Tue, Nov 19, 2013 at 04:42:55 CET, Ralf Ramsauer wrote:
>>> just an idea, but shouldn't it be possible to implement encryption
>>> algorithms incl. LUKS to GRUB?
>> Possible, yes. But it does not help. Instead of attacking the
>> kernel image or the initrd, an attacker could just attack the grub
>> executable, which could then patch the kernel or the initrd.
>> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
>> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D
>> There are two ways of constructing a software design: One way is to make
>> so simple that there are obviously no deficiencies, and the other way is
>> make it so complicated that there are no obvious deficiencies. The first
>> method is far more difficult. --Tony Hoare
>> dm-crypt mailing list
>> dm-crypt at saout.de
> dm-crypt mailing list
> dm-crypt at saout.de
More information about the dm-crypt