If your laptop contains an active TPM and a TCG Opal 2.0 compliant SED
(SSD or spinning platter) drive, then you can create a range, install
the bootstrap/OS, and then mark that range as read-only.
After doing that *nothing* will be able to write to that area without
the password unlocking that range first, even Dom0 root user, but then
it will also need to be unlocked using that same password at the
appropriate moment during any update to the bootstrap/Xen code during
appropriate Dom0 updates. This same range can also protect the partition
table, MBR, and boot menu, etc. Multiple ranges can be set with
different attributes/encryption keys.
The tool you would need for doing this is "msed" (name given in my
fedora distro) or "sedutil" (from the drive trust alliance) which allows
you to talk to the drive via sata (not usb afaik) to encrypt or protect
defined ranges that you set up.
Just be careful to learn/test on a test system, because if you create an
encrypted range everything previously there disappears instantly,
including partitions. Its the world fastest way I know to completely
wipe a drive, flip one bit in the key, poof. Like magic. You can always
reset back to the factory default erasing everything on the drive.
Calculate your ranges, partition, setup encryption ranges, and install
stuff, then finally mark your /boot range as read-only. Don't encrypt
your /boot or you will need to install Pre-Boot-Authentication (PBA) and
supply a password at boot time.
Sedutil source and docs
https://github.com/Drive-Trust-Alliance
On 08/26/2017 11:39 AM, [email protected] wrote:
Does Qubes offer a method of securing /boot? not just against USB evil maid
attacks, but from tampering in general?
for example, while a laptop is off, what would stop a malicious user from live
booting to an arbitrary distro and altering kernel or xen images located on the
unencrypted /boot partition?
Does qubes offer options for encrypting /boot?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/85467fc2-f40d-163d-1be2-e79604b1430d%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.
