On Wed, May 29, 2013 at 11:02 AM, shawn wilson <[email protected]> wrote: > I guess I should've said what my use case is: > I want a boot system that unlocks a partition where everything is > checked to prevent an evil maid attack. I can sign / check everything > but the key and the integrity checker. However, someone could replace > gpg with a version that logs to something. I could use some system > like tripwire to check the files but this just moves the vulnerable > component to something else. > > Maybe it's possible to use a signed kernel module that does the > integrety checking of the files via a hash that could be compiled into > the kernel?
You might be interested in checking out Anti Evil Made http://theinvisiblethings.blogspot.it/2011/09/anti-evil-maid.html , an implementation of a TPM-based static trusted boot included in Qubes OS http://qubes-os.org/ . Cheers, alfonso _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
