[dm-crypt] Integrate cryptsetup in bootloader

Ralf Ramsauer ralf+dm at ramses-pyramidenbau.de
Wed Nov 20 01:28:18 CET 2013

On 11/20/2013 12:28 AM, Sven Eschenberg wrote:
> Aside from the fact that grub2 does actually support loading the kernel
> from an encrypted disk, you could still sign your grub executeable for
> secure boot.
And who will verify authenticity?
And where do you want to store the public key for verification?
> Then again, can we really trust SecureBoot and the UEFI firmware not being
> tampered with - that will most probably be the major question on modern
> systems.
Absolutely. But nevertheless, you always will have to trust a certain
part of your system.

> Regards
> -Sven
> On Tue, November 19, 2013 05:20, Arno Wagner wrote:
>> On Tue, Nov 19, 2013 at 04:42:55 CET, Ralf Ramsauer wrote:
>>> Hi,
>>> just an idea, but shouldn't it be possible to implement encryption
>>> algorithms incl. LUKS to GRUB?
>> Possible, yes. But it does not help. Instead of attacking the
>> kernel image or the initrd, an attacker could just attack the grub
>> executable, which could then patch the kernel or the initrd.
>> --
>> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
>> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
>> 9718
>> ----
>> There are two ways of constructing a software design: One way is to make
>> it
>> so simple that there are obviously no deficiencies, and the other way is
>> to
>> make it so complicated that there are no obvious deficiencies. The first
>> method is far more difficult.  --Tony Hoare
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

More information about the dm-crypt mailing list