Em 05-03-2014 19:03, Chris Cappuccio escreveu: > > Personally I think this sort-of soft-IPMI is a pretty cool idea and I found > Matthieu's reply enlightening as well. > > Apparently Linux has made some progress beyond pivot_root and there are > some interesting ideas there. (Note that we have a functioning tmpfs.) > > http://www.spinics.net/lists/util-linux-ng/msg08794.html > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/ramfs-rootfs-initramfs.txt > > Evolving the kernel ramdisk to extract archive to a tmpfs might be the right > thing to do if the BSD tmpfs has the same advantages (doesn't run the > "backing store" back through the buffer cache etc.)
Chris, The first answer that is trying to give some ideas, rather than just criticizing security. I'm aware of all the shortcomings of this solution. I had to hack some time with linux's initramfs to get some sense of security. I even managed to have pppd embedded on it so I can unlock my server over the internet, not just lan. I have it even to run some script that set's it's ip address on my dns server that has it's SSHFP record, so I won't be victim to impersonating attacks. It's working quite well, I must say. Physical access means game over, even more with the solution pointed by you guys, of moving things and creating symlinks. It opens up more attack vectors. Telling me to have another machine to redirect the console to, booting with a pendrive, and every other ideas that rely on external things, is not necessary. I'm aware of those possibilities. Rather than that, what about contribute with ideas for this. I believe that it's not only FDE unlocking that would benefit of early network. As I mentioned before, the possibility of redirecting the console to the ssh session is one of them. I believe that there are others. Come on guys, I'm not asking for implementation, just want some pointers and ideas. I know it would be a very hard task, but I would like the challenge. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC