:: Re: [DNG] /usr to merge or not to m…
Top Page
Delete this message
Reply to this message
Author: Olaf Meeuwissen
Date:  
To: Dr. Nikolaus Klepp
CC: dng
Subject: Re: [DNG] /usr to merge or not to merge... that is the question??
Hi Nik,

Dr. Nikolaus Klepp writes:

> Hi Olaf!
>
> Am Samstag, 17. November 2018 schrieb Olaf Meeuwissen:
>> Hi Nik,
>>
>> Dr. Nikolaus Klepp writes:
>>
>> > [...] The initrams tool provide a handy way to inspect/modify/rebuild
>> > initrd. But the debian documentation on how initrd works is wrong: it
>> > assumes a one part archive (which is what you would expect), but in
>> > fact it is a 2 part archive (first part uncomressed, second
>> > compressed). Take a look at /usr/bin/unmkinitramfs line 50 ff to see
>> > how it works. Also look at the referenced linux/lib/earlycpio.c for
>> > further detail. The most important point is this: processes started
>> > in initrd survive switch_root. There goes your "full disk encryption"
>> > myth.
>>
>> Not sure I understand what's going on but if you have an unencrypted
>> /boot, you, by definition, don't have full disk encryption.
>>
>> I'm using libreboot as my BIOS and have *all* of /dev/md0 encrypted. My
>> BIOS asks me for a password to decrypt whatever is in /boot.
>>
>> Are you implying that even in my scenario the "full disk encryption"
>> myth goes out of my window?
>
> Just for the fun of applied paranoia: How do you ensure that nobody
> tempered with your eeprom? Did you seal it propperly after you made
> the chip readonly? If not, then you still have the same problem, just
> a level higher.


If someone tampered with the eeprom I guess I'd have a problem and
someone might be eavesdropping on my disk I/O but my disks would still
be fully encrypted as in I could give you one of the disks from my RAID1
setup and you wouldn't be able to find out what's on it.

> Or did you go the way of heads (https://github.com/osresearch/heads)?


Libreboot is coreboot w/o the blobs and I went down a path similar to
that taken by heads. The BIOS has a GRUB payload capable of decrypting
enough of the disk(s) to pass the buck to the OS.

> Last time I checked, there was still a "full disk encryption" in the
> debian installer. I know that's just markeing blahblah, but still it
> gives a false sense of security to the not-so-paranoid user. There's
> even a bugreport about that misnomer:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858009


:-)

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join