On Tue, Feb 18, 2020 at 08:05:29AM +0100, Paul de Weerd wrote:
On Tue, Feb 18, 2020 at 05:12:25AM +, Frank Beuth wrote:
| Yes, it's a cool way to combine things to get unexpected functionality.
| I haven't dug into the bootloader much... is there a reasonably easy way
| to get the USB-stick-b
> Are there any downsides though? For example, would resume from
> hibernation still work for such a setup?
It should work with hibernation without any problems, but i did
not test this extensively.
>
> More so, for the less knowledgeable of us, how does this relate to
> UEFI's "Secure Boot"?
Make sure no one has physical access to you machine!
EVER.
Lock it away.
That way no 'Evil Maid' or any one else can access it!
This is not hard.
Why is this a thing?
If someone has physical access to you box then it is Game Over!
All of these fantasy efforts are BS.
Physically secure your hardware
On Mon, Feb 17, 2020 at 04:09:57PM +0100, Julius Zint wrote:
I'm not really in a position to reflash my machine but I would still be
curious for details.
There is no need to reflash your firmware if the system has a integrated
and supported TPM 1.2 chip.
The prototype uses a Static Root of T
On Tue, Feb 18, 2020 at 05:12:25AM +, Frank Beuth wrote:
| Yes, it's a cool way to combine things to get unexpected functionality.
| I haven't dug into the bootloader much... is there a reasonably easy way
| to get the USB-stick-bootloader to boot the hard drive partition by
| default?
Best wa
On Mon, Feb 17, 2020 at 06:44:25PM +0100, Paul de Weerd wrote:
On Mon, Feb 17, 2020 at 01:35:38PM +, Frank Beuth wrote:
| > | This way the evil maid would have nothing to tamper with.
| >
| > Note that with this approach, a default OpenBSD install to your
| > machine will still install a boot
On Mon, Feb 17, 2020 at 04:09:57PM +0100, Julius Zint wrote:
I'm not really in a position to reflash my machine but I would still be
curious for details.
There is no need to reflash your firmware if the system has a integrated
and supported TPM 1.2 chip.
The prototype uses a Static Root of T
On Mon, Feb 17, 2020 at 01:35:38PM +, Frank Beuth wrote:
| > | This way the evil maid would have nothing to tamper with.
| >
| > Note that with this approach, a default OpenBSD install to your
| > machine will still install a bootloader on the physical disk inside
| > your machine. It's then
I’m interested as well.
Jan
On 17 Feb 2020, at 17:10, Kevin Chadwick wrote:
On 2020-02-17 15:09, Julius Zint wrote:
Some feedback from the OpenBSD community on this would also be
appreciated. Are there
enought people interessted in a Trusted Boot with OpenBSD?
I'm interested
On 2020-02-17 15:09, Julius Zint wrote:
> Some feedback from the OpenBSD community on this would also be appreciated.
> Are there
> enought people interessted in a Trusted Boot with OpenBSD?
I'm interested
> I'm not really in a position to reflash my machine but I would still be
> curious for details.
There is no need to reflash your firmware if the system has a integrated
and supported TPM 1.2 chip.
The prototype uses a Static Root of Trust for Measurment (SRTM) approach
where the Chain of Trust
On Mon, Feb 17, 2020 at 11:56:24AM +0100, Paul de Weerd wrote:
But you can already do this. If your machine supports booting from
USB, you can do a minimal install to a USB stick (using FDE, if you
want). Now you have a portable OpenBSD environment you can boot on
any system capable of booting
On Mon, Feb 17, 2020 at 11:13:27AM +0100, Julius Zint wrote:
I recently finished my masterthesis that solves this problem by including
the Trusted Platform Module (TPM) in the bootprocess of OpenBSD.
It extends the Chain of Trust up to boot(8) and allows you to seal a
secret of your choice to th
>>> How do you do this on OpenBSD?
>>@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk
>
> That's telling me how to use a keydisk -- how to put the softraid FDE
> encryption key material on a USB disk.
>
> If an evil made came by and got access to my machine, they would still
> be
On Mon, Feb 17, 2020 at 08:50:14AM +, Frank Beuth wrote:
| > > How do you do this on OpenBSD?
| > @frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk
|
| That's telling me how to use a keydisk -- how to put the softraid FDE
| encryption key material on a USB disk.
|
| If an evil
>
> If an evil made came by and got access to my machine, they would still
> be able to tamper with the bootloader code to harvest the FDE password
> when I returned.
>
> I want to put the whole bootloader (including the code used to decrypt
> the softraid-FDE-encrypted root-partition-containin
On Sat, Feb 15, 2020 at 12:22:02PM +0100, no@s...@mgedv.net wrote:
>depends what you want to achieve, but my recommendation is booting from
USB
>and mount encrypted root from the HDD.
>you can safely remove the usb key after root mount and all your
configs/etc
>files are used from the encrypted
> >depends what you want to achieve, but my recommendation is booting from
> USB
> >and mount encrypted root from the HDD.
> >you can safely remove the usb key after root mount and all your
configs/etc
> >files are used from the encrypted storage.
> >this ensures 2 things: bootloader + kernel on US
On Thu, Feb 13, 2020 at 01:31:43PM +0100, no@s...@mgedv.net wrote:
depends what you want to achieve, but my recommendation is booting from USB
and mount encrypted root from the HDD.
you can safely remove the usb key after root mount and all your configs/etc
files are used from the encrypted stora
no@s...@mgedv.net(nos...@mgedv.net) on 2020.02.13 13:31:43 +0100:
> > > On Linux you can do the following:
> > > { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive
> entirely encrypted] }
> ... which i would consider to be as insecure, as unencrypted root at all.
... which totaly de
> > On Linux you can do the following:
> > { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive
entirely encrypted] }
... which i would consider to be as insecure, as unencrypted root at all.
maybe check out https://wiki.osdev.org, they have nice articles on this.
IMHO a secure boot ch
cipher-hea...@riseup.net writes:
>
> On Linux you can do the following:
>
> Hard drive:
> { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive entirely
> encrypted] }
>
> Then the only parts of the (x64) computer that are unencrypted are the BIOS
> and GRUB.
This is how it already
On Thu, Feb 13, 2020 at 10:31:30AM +, cipher-hea...@riseup.net wrote:
>
> On Linux you can do the following:
>
> Hard drive:
> { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive entirely
> encrypted] }
>
> Then the only parts of the (x64) computer that are unencrypted are th
23 matches
Mail list logo