We are testing out a new experimental feature in PureBoot to extend tamper detection past /boot into the root disk. I write about the feature and my thought process behind developing it here: puri.sm/posts/new-pureboot-fea

@kyle thank you very much. I'm a Purism fan and often read your writings, Kyle.

@kyle looks cool, I’ll give it a go and let you know what I think.

@kyle
Why don't we use Luks for encrypting the whole OS, except for kernel and init, and just verify them on boot?

@danialbehzadi We do encrypt the root disk with LUKS, but not /boot (where kernel, initrd and grub config are), for two reasons:

1. PureBoot must store the HOTP counter somewhere for initial tamper-detection of the firmware itself. Currently /boot is the best location. We don't want to prompt for a LUKS secret before you can trust the firmware.

2. For users who don't want to scan the root partition, leaving /boot unencrypted allows them to scan /boot w/o prompting them for secrets.

@kyle
That's legit. So why we bother to scan other root partitions too, which makes booting slower?

@danialbehzadi It's optional, the idea is like w/ scanning /boot files, to try to detect attacks against root files that occur while the system is running and / is unlocked.

Rootkits can evade attempts to detect from within the infected kernel/file system, so you want to scan from the trusted PureBoot environment.

Some people would run a scan every time they boot. Others would only do it when their computer is out of their custody.

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml