Em 05-03-2014 18:05, Stuart Henderson escreveu:
> On 2014/03/05 17:48, Giancarlo Razzolini wrote:
>> Em 05-03-2014 17:30, Ted Unangst escreveu:
>>> On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote:
>>>> Hi,
>>>>
>>>> I have one linux server that has full disk encryption, and I use
>>>> it's initramfs with dropbear to be able to remote unlock the encrypted
>>>> root partition.
>>>>
>>>> From what I read from the OpenBSD documentation, this is not
>>>> possible now. I want some guidance for what areas of code I would need
>>>> to modify, to accomplish the same. I know it would involve lots of
>>>> hacking with boot(8), with the kernel itself, and perhaps more. Also, I
>>>> want to know how hard you guys think it would be.
>>> I'm aware of some issues in this area.
>>>
>>> You probably need to modify boot to default to serial console. The
>>> normal approach, taken by the installer, is to use boot.conf, but of
>>> course that's not readable before the disk is decrypted. This is
>>> assuming you will use serial console to provide the password instead
>>> of regular keyboard.
>>>
>>> If you want to provide the password over the network, I think that's
>>> going to be way more work. pxeboot may be a place to start, but I
>>> don't think you'll like where that leads and it won't be very secure
>>> either.
>>>
>>> Or get a server that supports some sort of kvm/console over IP.
>> Ted,
>>
>> Thank you for your reply. I am tending for the generic solution for
>> unlocking it via network. Not using console nor any hardware assist. On
>> linux, using initramfs + busybox + dropbear + some other hacks, it works
>> quite well and secure, since you unlock it through ssh.
>> I took a look at pxeboot, but I don't think it will work. I know it
>> is a chicken-egg problem, but I want to take a shot at it. Just would
>> like some guidance, where to start. I know that maybe it would need some
>> approach in the lines of initramfs, but I would avoid it as much as I
>> can, if possible. I think a unencrypted partition/disklabel with
>> boot.conf and the kernel, plus some hack with boot itself to initialize
>> the network device, and configure it's ip address would be more
>> interesting. Or even just boot.conf on the partition. This would require
>> that boot(8) would do most of the work, even a small sshd
>> implementation. Any ideas?
>>
>> Cheers,
>>
>> --
>> Giancarlo Razzolini
>> GPG: 4096R/77B981BC
>>
> What are you trying to protect against?
>
> If somebody has physical access, they can presumably replace the
> kernel/initramfs
> with a trojanned version ...
>
>
I'm not trying to protect anything. Physical access almost always
means game over. There could be some work on the area of trusted
booting, using TPM chips, but this is another beast entirely.
I'm trying to be able to remote unlock my full disk encrypted
OpenBSD installation in a way that the keystrokes can't be intercepted
in the wire. There is already a protocol for this, which is ssh. The
trick is to have it working in the boot process.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
