Em 05-03-2014 19:03, Chris Cappuccio escreveu:
>
> Personally I think this sort-of soft-IPMI is a pretty cool idea and I found
> Matthieu's reply enlightening as well.
>
> Apparently Linux has made some progress beyond pivot_root and there are
> some interesting ideas there. (Note that we have a functioning tmpfs.)
>
> http://www.spinics.net/lists/util-linux-ng/msg08794.html
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/ramfs-rootfs-initramfs.txt
>
> Evolving the kernel ramdisk to extract archive to a tmpfs might be the right
> thing to do if the BSD tmpfs has the same advantages (doesn't run the
> "backing store" back through the buffer cache etc.)
Chris,
The first answer that is trying to give some ideas, rather than just
criticizing security. I'm aware of all the shortcomings of this
solution. I had to hack some time with linux's initramfs to get some
sense of security. I even managed to have pppd embedded on it so I can
unlock my server over the internet, not just lan. I have it even to run
some script that set's it's ip address on my dns server that has it's
SSHFP record, so I won't be victim to impersonating attacks. It's
working quite well, I must say.
Physical access means game over, even more with the solution pointed
by you guys, of moving things and creating symlinks. It opens up more
attack vectors. Telling me to have another machine to redirect the
console to, booting with a pendrive, and every other ideas that rely on
external things, is not necessary. I'm aware of those possibilities.
Rather than that, what about contribute with ideas for this. I believe
that it's not only FDE unlocking that would benefit of early network. As
I mentioned before, the possibility of redirecting the console to the
ssh session is one of them. I believe that there are others. Come on
guys, I'm not asking for implementation, just want some pointers and
ideas. I know it would be a very hard task, but I would like the challenge.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
