aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2022-02-01 20:37:51 -0300
committerSilvio Rhatto <rhatto@riseup.net>2022-02-01 20:37:51 -0300
commite7ab332debafda20b9c9720095e35bbde7b92f13 (patch)
treea6429aa0d2792ecaa5630dac097ba8c0b8d95994
parente9d1a8d2679cd6f150ca94829f64c46ca9c8d785 (diff)
downloadbootless-master.tar.gz
bootless-master.tar.bz2
Fix: README: formattingHEADmaster
-rw-r--r--index.md29
1 files changed, 22 insertions, 7 deletions
diff --git a/index.md b/index.md
index 451f225..885804d 100644
--- a/index.md
+++ b/index.md
@@ -83,11 +83,17 @@ Threat Model
### Does bootless mitigate all types of Evil Maid attacks? No.
-1. It reduces the attack surface by placing the bootloader and images away from the physical machine and recommending you to use Full Disk Encryption (FDE) to store your operating system, swap and data.
+1. It reduces the attack surface by placing the bootloader and images away from
+ the physical machine and recommending you to use Full Disk Encryption (FDE)
+ to store your operating system, swap and data.
-2. Infection is still possible in plenty of unencrypted/unauthenticated software residing in the machine, such as BIOS, network firmware and potential backdoors such as Intel's AMT/ME.
+2. Infection is still possible in plenty of unencrypted/unauthenticated
+ software residing in the machine, such as BIOS, network firmware and
+ potential backdoors such as Intel's AMT/ME.
-3. The USB stick itself is not a static device: it's has a built-in controller that could be exploited to present to your computer a compromised kernel or initramfs ([BadUSB attacks](https://links.fluxo.info/tags/badusb)).
+3. The USB stick itself is not a static device: it's has a built-in controller
+ that could be exploited to present to your computer a compromised kernel or
+ initramfs ([BadUSB attacks](https://links.fluxo.info/tags/badusb)).
Again:
@@ -101,14 +107,23 @@ Again:
### Additional mitigations
-1. For physical attempts to tamper with your bare metal, you might try to protect and monitor your perimeter.
+1. For physical attempts to tamper with your bare metal, you might try to
+ protect and monitor your perimeter.
-2. From inside threats such as preloaded backdoors in the hardware, the best you can do is to look for laboratory audits and build and use open hardware.
+2. From inside threats such as preloaded backdoors in the hardware, the best
+ you can do is to look for laboratory audits and build and use open hardware.
-3. Check your boot using something like [anti-evil-maid](http://theinvisiblethings.blogspot.com.br/2011/09/anti-evil-maid.html) ([repository](https://github.com/QubesOS/qubes-antievilmaid)), [smartmonster](https://git.fluxo.info/smartmonster) ([original repository](https://github.com/ioerror/smartmonster)) or [chkboot](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#chkboot).
+3. Check your boot using something like
+ [anti-evil-maid](http://theinvisiblethings.blogspot.com.br/2011/09/anti-evil-maid.html)
+ ([repository](https://github.com/QubesOS/qubes-antievilmaid)),
+ [smartmonster](https://git.fluxo.info/smartmonster)
+ ([original repository](https://github.com/ioerror/smartmonster)) or
+ [chkboot](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#chkboot).
4. Against additional perimeter attacks, you could combine bootless with a
- solution like Edward Snowden's [Haven](https://guardianproject.github.io/haven/) or even always stay with your [TPC - Trusted Physical Console](https://web.archive.org/web/20180914153944/http://cmrg.fifthhorseman.net/wiki/TrustedPhysicalConsole).
+ solution like Edward Snowden's [Haven](https://guardianproject.github.io/haven/)
+ or even always stay with your
+ [TPC - Trusted Physical Console](https://web.archive.org/web/20180914153944/http://cmrg.fifthhorseman.net/wiki/TrustedPhysicalConsole).
5. When turning on your machine, make sure that the ethernet and wireless
networks are switched off (this could be done by removing cables, antennas