LFS using the cryptoapi hint...

Zibeli Aton zibeli at yahoo.com
Tue Jul 8 02:42:06 PDT 2003


--- Joel Miller <cheeziologist at mail.isc.rit.edu>
wrote:
> On Mon, 07 Jul 2003 19:53:03 +0100, DaClink
> <clinks_linux at btopenworld.com> 
> wrote:
> 
> > Hi... i'm not sure if this is being posted to the
> correct group, but here
> > goes anyway (i'm sure someone will tell me if i'm
> wrong :) )
> >
> > I managed to build lfs CVS20030603 sucessfully on
> an encrypted partition
> > using the hint at
>
http://hints.linuxfromscratch.org/hints/cryptoapi.txt
> > It all works superbly except for only little
> bit... in the hint there is 
> > a
> > section at the end which states the following:
> >
> >> Also, it is a good idea to check the boot
> partition integrity inside the
> >> encrypted partition, in order to spot if someone,
> say a government 
> >> agency
> >> like the FBI or the NSA, has modified your boot
> partition so as to grab
> >> your password. Add the following lines at the
> beginning of the system
> >> initialisation script:
> >>
> >>
> >> echo -n "Checking master boot record integrity: "
> >> if [ "`dd if=/dev/hda count=1 2>/dev/null |
> md5sum`" = \
> >> "e051a4532356709c73b86789acfbdbbd  -" ]
> >> then
> >> echo "OK."
> >> else
> >> echo -n "FAILED! press Enter to continue."
> >> read
> >> fi
> >>
> >> echo -n "Checking bootloader integrity: "
> >> if [ "`dd if=/dev/hda1 2>/dev/null | md5sum`" = \
> >> "f3686a17fac8a1090d962bef59c86d3b  -" ]
> >> then
> >> echo "OK."
> >> else
> >> echo -n "FAILED! press Enter to continue."
> >> read
> >> fi
> >
> > The first part that checks the master boot record
> works fine... but the
> > second bit i think is impossible (unless i'm
> putting the script in the
> > wrond place) since the script itself is on the
> partition that gets
> > md5sum'd. Hence changing the script changes the
> md5sum, meaning u need to
> > change the script and so on and so on.
> >
> > Does anyone know a way round this? am i putting
> the script in the wrong
> > place (at the moment its in the /loader/sbin/init
> script)
> >
> > Any suggestions much appreciated...
> >
> > Daclink
> >
> >
> >
> 
> As far as I can tell you are absolutely right. I see
> no way out of the loop 
> unless you put the part checking the bootloader
> integrity in the init 
> scripts on /dev/hda2 and then you would know if the
> bootloader had been 
> compromised but you would know after the bootloader
> had already loaded. 
> That way doesn't sound like the greatest of options.
> Ask this again on 
> blfs-support as it is more suited to that list than
> this one. I would also 
> try emailing the author of the hint directly. I will
> post this message to 
> blfs-support and all follow-ups should be directed
> there.
> 

I'm quite sure the signature-checking script is indeed
supposed to be the encrypted partition, not in the
bootloader.  While the bootloader will indeed have
already been loaded before the script then detects a
compromise of it, at least at that point you can
minimize the damage by aborting the init before
networks are brought up, etc.  If the script is
instead left in the unencrypted bootloader partition,
all an attacker would have to do after modifying the
bootloader (or boot sector) is to adjust the MD5 sum
contained in the unencrypted script to match that of
the comprimised loader/sector and the script would not
even detect the compromise, by far an even worse
option.


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list