Hi Nik, Dr. Nikolaus Klepp writes:
> Hi Olaf! > > Am Samstag, 17. November 2018 schrieb Olaf Meeuwissen: >> Hi Nik, >> >> Dr. Nikolaus Klepp writes: >> >> > [...] The initrams tool provide a handy way to inspect/modify/rebuild >> > initrd. But the debian documentation on how initrd works is wrong: it >> > assumes a one part archive (which is what you would expect), but in >> > fact it is a 2 part archive (first part uncomressed, second >> > compressed). Take a look at /usr/bin/unmkinitramfs line 50 ff to see >> > how it works. Also look at the referenced linux/lib/earlycpio.c for >> > further detail. The most important point is this: processes started >> > in initrd survive switch_root. There goes your "full disk encryption" >> > myth. >> >> Not sure I understand what's going on but if you have an unencrypted >> /boot, you, by definition, don't have full disk encryption. >> >> I'm using libreboot as my BIOS and have *all* of /dev/md0 encrypted. My >> BIOS asks me for a password to decrypt whatever is in /boot. >> >> Are you implying that even in my scenario the "full disk encryption" >> myth goes out of my window? > > Just for the fun of applied paranoia: How do you ensure that nobody > tempered with your eeprom? Did you seal it propperly after you made > the chip readonly? If not, then you still have the same problem, just > a level higher. If someone tampered with the eeprom I guess I'd have a problem and someone might be eavesdropping on my disk I/O but my disks would still be fully encrypted as in I could give you one of the disks from my RAID1 setup and you wouldn't be able to find out what's on it. > Or did you go the way of heads (https://github.com/osresearch/heads)? Libreboot is coreboot w/o the blobs and I went down a path similar to that taken by heads. The BIOS has a GRUB payload capable of decrypting enough of the disk(s) to pass the buck to the OS. > Last time I checked, there was still a "full disk encryption" in the > debian installer. I know that's just markeing blahblah, but still it > gives a false sense of security to the not-so-paranoid user. There's > even a bugreport about that misnomer: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858009 :-) Hope this helps, -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
