> If an evil made came by and got access to my machine, they would still
> be able to tamper with the bootloader code to harvest the FDE password
> when I returned.
> I want to put the whole bootloader (including the code used to decrypt
> the softraid-FDE-encrypted root-partition-containing media) on a USB
> disk.
> This way the evil maid would have nothing to tamper with.

I recently finished my masterthesis that solves this problem by including
the Trusted Platform Module (TPM) in the bootprocess of OpenBSD.

It extends the Chain of Trust up to boot(8) and allows you to seal a
secret of your choice to the platform state.

To check wether the unencrypted bootcomponents got tampered with, you
can unseal and verify the secret to ensure that the contents of the
MBR, PBR and boot(8) are unchanged.

it is not exactly the solution you were looking for but it should solves
the problem that you describe. Does this sound like something you were
willing to try and does your machine have a TPM 1.2 Chip?

Best regards


Reply via email to