Poettering: Authenticated Boot and Disk Encryption on Linux

I don't quite grok how this can happen. Can you mount/modify/unmount an encrypted drive without the key/password? Or is /boot unencrypted _and bits in it read and trusted without checking against signatures_?

What do you do about data that doesn't live in /usr, /etc, /var, or /home/$USER? The nice thing about FDE is that it ensures all data, no matter where you put it, is encrypted.

I see the problem being solved with initrd but I don't see a lot of advantage to doing more than fixing the initrd loophole, then applying FDE. Maybe I missed the reason for all the additional complexity.

Only one caveat/aspect that isn't quite covered: disk corruption. One but flip somewhere and nothing boots.

Yes, data can be recovered (recovery methods presented) and yes a bit flip should not go unnoticed!

I am just saying that when it happens, being able to somehow rollback/reinstall/restore would be of tremendous help. Then all that sounds like a plan. :)

> I'd try to ditch the Shim, and instead focus on enrolling the distribution vendor keys directly in the UEFI firmware certificate list.

He's missing the obvious. Afaik, the only free software UEFI just runs in a VM. TPM is completely nonfree. There's also Intel ME / AMD PSP. You have no security from the developer of any of that software, they could easily have backdoors or bugs that can serve as backdoors. Putting a key into a nonfree blob and expecting it only unlock when it gets that key is a serious real flaw in security.

> Some corners of the community tried (unfortunately successfully to some degree) to paint TPMs/Trusted Computing/SecureBoot as generally evil technologies that stop us from using our systems the way we want.

What corners? FSF certainly criticized Secure Boot as /potentially/ bad, but not generally evil: https://www.fsf.org/campaigns/campaigns/secure-boot-vs-re... And about this quote: "the way SecureBoot/TPMs are defined puts you in the driver seat if you want." That is just so wrong. Microsoft DID help ship arm computers where SecureBoot prevented non-windows OSes from booting: https://softwarefreedom.org/blog/2012/jan/12/microsoft-co... . Stating the obvious danger helped!

> Yes, the way SecureBoot/TPMs are defined puts you in the driver seat if you want — and you may enroll your own certificates to keep out everything you don't like.

No, nonfree software does not "put you in the driver seat" in a an essential fundamental way. I'm fairly confident we would already have a cryptographically verified boot on GNU/Linux if it weren't for all this firmware being nonfree.

* The initramfs/cmdline is not part of the secure boot trust chain. That can be solved easily by generating a Unified Kernel Image[1], that combines the kernel, cmdline and initramfs in one .efi executable, all of which gets picked up by Secure Boot and measured by TPM. Few distros use it as far as I know, but it's easy enough with eg. package manager hooks.

* The data on disk is not authenticated. That can again be easily solved by using btrfs (or any other filesystem which checksums everything) over dm-crypt.

1: https://wiki.archlinux.org/title/Systemd-boot#Preparing_a...

It seems like having to pre-partition your disks into so many partitions (and leave space for extra partitions in case you want to add more users?) is going to waste lots of disk space, especially as most of the partitions will likely be more than half empty.
(I know you could use LVM to _partially_ solve that, but it’s not exactly user-friendly/automatic, and shrinking would be an issue too.)

It would probably be better to build this on a file system that can do its own data encryption & authentication on subtrees/subvolumes…

https://pulsesecurity.co.nz/articles/TPM-sniffing
https://news.ycombinator.com/item?id=19379092

So I've whole-except-boot partition encryption (with an LVM inside, but that part is irrelevant). This protects my data at rest (the most probable scenario: I leave my laptop in the metro and someone can try to extract the data at their leisure).

Passably strong passphrase: pwgen -n 16.

The day the "hacked initrd" scenario becomes more important, I'll have my boot partition on an SD card I keep separate from my laptop. Perhaps I can leave an initrd partition on disk, as a honeypot. But this day ain't today.

Note that whenever your opponent's dedication reaches that level, they can as well rubberhose-cryptanalyse [1] you. Obligate XKCD and things. Plausibly deniable encryption would be a really cool thing here.

The whole secure "bios" thing? Sorry. Too complex for security. I understand people geeking off about "trusted roots" and things, but that gives to your (hardware and OS) providers so much control over you [2] that I won't touch it. Not with antiseptic gloves.

And, oh, PS: it's impressive how the very first post nearly derailed this discussion into a systemd flamefest. Why, oh, why?

[1] Just a metaphor. Laws like the ones in UK where they can detain you practically indefinitely are on a similar level.
[2] And it is being used for things like Netflix et al making sure you don't cheat on them. Well I don't cheat on them either. They just don't exist for me.

A regular guy whose laptop is stolen by a regular thieve will not get hacked as soon as he has a reasonable password (i.e. not 123456) will NOT get hacked by this thieve. The laptop will be formatted and sold. Or maybe it'll be sold without being formatted.

Even if you're not a regular guy, because some of your hobby or work involves handling sensitive information (that you shall not put on a non-secure computer, and it can only be secure if you know what you're doing, not if you let a distrib do what it wants to do) there is good chance that the thief is not interested in your data.

If he does care about your data then it's far easier for him to "nicely ask for your help" that to hack you in the first place (XKCD style: https://xkcd.com/538).

And if he's not in the position of being able to ask you then you shall make sure the data is safe. Distributions can only gives you a false sense of security - it's not /their/ job to correctly secure /your/ hardware. You shall use whatever suits you (HSM, TPM2, full-disk encryption, biometric sensors... It's quite easy to set up and has been available for ages ; a lenovo w520 (2011) offers hardware-based hard drive encryption that can be protected at boot by the scan of your fingerprint ; you can get one for $200 to $400 on ebay).

The forever elusive "Harry the Hacky Hacker" that will stole your PC to check on your internet search history in order to set up a wildly complex plan to take on the U.N. does not *really* exist outside movies.

That's probably fine for `/etc`, but likely to be quite noticeable for `/var` in any nontrivial setup. Most data center deployments that already have physical security are going to want to keep performance I'd guess. Probably this would also be a notable hit for "local workstation" flows where you're e.g. doing e.g. compilation; cloning git repos, pulling build containers, etc. Splitting some of this stuff into separate encrypted-but-not-authenticated volumes gets into a lot of nuanced tradeoffs.

In the end, I would agree this type of setup probably deserves to be an available checkbox in most general-purpose Linux system installers. And with my CoreOS hat on, installer = ignition config applied on firstboot, so it *can* work in IaaS clouds too, even if I doubt most people would want it there since "evil maid" types attack in IaaS generally either require root on the hypervisor or root account credentials, in which case you have much bigger problems.

Anyways, on the larger topic I have this blog entry which I think still applies:
https://blog.verbum.org/2017/06/12/on-dm-verity-and-opera...

Basically it's important to keep in mind here that this proposal does *not* have the property that if your system is compromised remotely (e.g. web browser exploit), then it's still easy for an attacker to persist code in all the usual places (`~/.bashrc`, `/etc/systemd/system`, `~/.local/share/containers`, `/var/lib/containers`, any VM images you have, etc.).

You didn't mention e.g. Fedora CoreOS which *is* shipping image based updates, but not authenticated (e.g. dm-verity) right now because to me it's really important to preserve the ability to e.g. roll back just the kernel on a specific machine because you hit an issue after an update. ( https://github.com/coreos/fedora-coreos-tracker/issues/940 is just one recent example )

Having a dm-verity for the rootfs in theory can make it easier to reprovision if you suspect compromise, but the thing is if you *do* suspect compromise I think it's generally always going to be better to just re-install the entire thing from trusted USB key or equivalent. (And then of course, for general purpose PCs and equivalent there's the whole problem of UEFI malware and flaws in vendor firmware...)

What makes a lot of sense to me is supporting a flow where (as my previous blog mentions) *everything* (OS, OS configuration, apps) are rolled into a big dm-verity or equivalent and there is no mechanism to persist code across reboot. There are people that are doing this for embedded devices. But I have difficulty imagining this for a workstation (dealing with things like `~/.bashrc`), and for the datacenter use case it's nuanced; the hard part there again I think is things like "OK we need to test this kernel on this specific server" and how the signing process works and validating that it's easy and predictable to build a new image in the exact state, just with that kernel override and such.

If this scenario is not ruled out, I can't understand why we should regularly brick our systems in unbootable state just to prevent non existing threat.

At a Linux Plumbers conference you asked other core developers if they would trust to put a private key on a shared machine, but if you study Gernot Heiser's work on SeL4 at CSIRO you will learn that Linux cannot be secure without being re-written, because the single big C-language turing machine that Linux lives in it is impossible to analyze what talks to what.

One interesting way that booster uses for for an encrypted partition key computation is network-binding. See clevis and tang https://github.com/latchset/clevis