LFS using the cryptoapi hint...

Joel Miller cheeziologist at mail.isc.rit.edu
Mon Jul 7 13:23:12 PDT 2003


On Mon, 07 Jul 2003 19:53:03 +0100, DaClink <clinks_linux at btopenworld.com> 
wrote:

> Hi... i'm not sure if this is being posted to the correct group, but here
> goes anyway (i'm sure someone will tell me if i'm wrong :) )
>
> I managed to build lfs CVS20030603 sucessfully on an encrypted partition
> using the hint at http://hints.linuxfromscratch.org/hints/cryptoapi.txt
> It all works superbly except for only little bit... in the hint there is 
> a
> section at the end which states the following:
>
>> Also, it is a good idea to check the boot partition integrity inside the
>> encrypted partition, in order to spot if someone, say a government 
>> agency
>> like the FBI or the NSA, has modified your boot partition so as to grab
>> your password. Add the following lines at the beginning of the system
>> initialisation script:
>>
>>
>> echo -n "Checking master boot record integrity: "
>> if [ "`dd if=/dev/hda count=1 2>/dev/null | md5sum`" = \
>> "e051a4532356709c73b86789acfbdbbd  -" ]
>> then
>> echo "OK."
>> else
>> echo -n "FAILED! press Enter to continue."
>> read
>> fi
>>
>> echo -n "Checking bootloader integrity: "
>> if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = \
>> "f3686a17fac8a1090d962bef59c86d3b  -" ]
>> then
>> echo "OK."
>> else
>> echo -n "FAILED! press Enter to continue."
>> read
>> fi
>
> The first part that checks the master boot record works fine... but the
> second bit i think is impossible (unless i'm putting the script in the
> wrond place) since the script itself is on the partition that gets
> md5sum'd. Hence changing the script changes the md5sum, meaning u need to
> change the script and so on and so on.
>
> Does anyone know a way round this? am i putting the script in the wrong
> place (at the moment its in the /loader/sbin/init script)
>
> Any suggestions much appreciated...
>
> Daclink
>
>
>

As far as I can tell you are absolutely right. I see no way out of the loop 
unless you put the part checking the bootloader integrity in the init 
scripts on /dev/hda2 and then you would know if the bootloader had been 
compromised but you would know after the bootloader had already loaded. 
That way doesn't sound like the greatest of options. Ask this again on 
blfs-support as it is more suited to that list than this one. I would also 
try emailing the author of the hint directly. I will post this message to 
blfs-support and all follow-ups should be directed there.

-- 
Registered LFS User 6929
Registered Linux User 298182
cheeziologist at attbi dot com is about to be invalid...plz use this new 
address

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list