Kernel inside encrypted space by default? Linux is dead in the water

C

canihazsekooriti

Can I just say how nice it is that FreeBSD puts the kernel inside the encrypted partition by default upon install (if you choose Auto (ZFS) and GELI encryption during installation)? This solves the "Evil maid" security problem for most users, and it's just really nice to have. To implement this on Linux, as ya'll know, is not straight-forward at all, albeit possible.

I forecast Linux is dead in the water.
 
My opinion only, but I've never been fond of things like full disk encryption. Does the OS really need to be inside an encrypted partition/dataset? When does the encryption actually apply?

Usually at rest, not when the system is booted. So when system is booted and somehow (phishing) a user gets the system compromised, everything is vulnerable. When the system is powered off, then initial power on, the encryption can protect.

I think most use cases are better served (again my opinion) with OS being unencrypted and the data encrypted (user home directories?), but again, the encryption only protects at rest.

If one wants to extend that to "anything in memory is encrypted" that is a whole mess of work. Every VM page encrypted needing to be decrypted before use. Every bit of ZFS ARC encrypted needing to be decrypted before use.

I guess my summary (opinion) would be "really really think about encryption because you can make your system impossible to use"
 
mer said:
If one wants to extend that to "anything in memory is encrypted" that is a whole mess of work. Every VM page encrypted needing to be decrypted before use. Every bit of ZFS ARC encrypted needing to be decrypted before use.
Click to expand...
I read a cool paper that implemented an on-the-fly encryption of RAM by recruiting and repurposing Intel's debug registers. Again, not a 100% foolproof, but much more mitigated than an unencrypted RAM. But don't the newer CPUs implement encrypting RAM already?
 
monwarez said:
You could sign your loader.efi, so it is a matter of having the bios really locked away.
Click to expand...
Not surprisingly, FreeBSD is much better at this than Linux too. You can implement a detached boot scenario (load from USB and switch over to the internal drive), and FreeBSD's ZFS loader is promiscuous, meaning no need to mess with UUIDs or configuration files.
 
mer said:
Usually at rest, not when the system is booted. So when system is booted and somehow (phishing) a user gets the system compromised, everything is vulnerable. When the system is powered off, then initial power on, the encryption can protect.
Click to expand...
True. I'm not sure you understand what the "Evil maid" attack is.

canihazsekooriti said:
Yes, but that's such a small footprint by default and in comparison.
Click to expand...
efi partition isn't exactly small. Though I've seen proper coders/hackers do the most amazing things in just a few bytes (hello C64 demo scene).
 
jardows said:
If that is available. Recent Dell and HP business line of laptops do not have that as an option; they are UEFI boot only.
Click to expand...
I know. And even if its available, for some people, there is a huge trade off because you cant use certain features of your system like resizable bar and iommu. For me, its worth it. But thats just me.
 
You must log in or register to reply here.
Back
Top