:: Re: [DNG] /usr to merge or not to m…
Top Page
Delete this message
Reply to this message
Author: Dr. Nikolaus Klepp
Date:  
To: dng
Subject: Re: [DNG] /usr to merge or not to merge... that is the question??
Hi Olaf!

Am Samstag, 17. November 2018 schrieb Olaf Meeuwissen:
> Hi Nik,
>
> Dr. Nikolaus Klepp writes:
>
> > [...] The initrams tool provide a handy way to inspect/modify/rebuild
> > initrd. But the debian documentation on how initrd works is wrong: it
> > assumes a one part archive (which is what you would expect), but in
> > fact it is a 2 part archive (first part uncomressed, second
> > compressed). Take a look at /usr/bin/unmkinitramfs line 50 ff to see
> > how it works. Also look at the referenced linux/lib/earlycpio.c for
> > further detail. The most important point is this: processes started
> > in initrd survive switch_root. There goes your "full disk encryption"
> > myth.
>
> Not sure I understand what's going on but if you have an unencrypted
> /boot, you, by definition, don't have full disk encryption.
>
> I'm using libreboot as my BIOS and have *all* of /dev/md0 encrypted. My
> BIOS asks me for a password to decrypt whatever is in /boot.
>
> Are you implying that even in my scenario the "full disk encryption"
> myth goes out of my window?


Just for the fun of applied paranoia: How do you ensure that nobody tempered with your eeprom? Did you seal it propperly after you made the chip readonly? If not, then you still have the same problem, just a level higher. Or did you go the way of heads ( https://github.com/osresearch/heads ) ?

Last time I checked, there was still a "full disk encryption" in the debian installer. I know that's just markeing blahblah, but still it gives a false sense of security to the not-so-paranoid user. There's even a bugreport about that misnomer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858009

Nik

>
> Hope this helps,
> --
> Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
>  GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
>  Support Free Software                        https://my.fsf.org/donate
>  Join the Free Software Foundation              https://my.fsf.org/join

>




--
Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...