aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2024-07-13 10:58:54 -0300
committerSilvio Rhatto <rhatto@riseup.net>2024-07-13 10:58:54 -0300
commit16c4d7c30457f798470c0b92e81849599c69f049 (patch)
treebb86ac9fbf8fb0c26bbfede72d74724899f4dd19
parentb561cb246071e38ad73e40e63d3df17c7dd0da73 (diff)
downloadbootless-16c4d7c30457f798470c0b92e81849599c69f049.tar.gz
bootless-16c4d7c30457f798470c0b92e81849599c69f049.tar.bz2
Improve docs, adds TODO page and more references
l---------TODO.md1
-rw-r--r--index.md40
-rw-r--r--references.md97
-rw-r--r--todo.md26
-rw-r--r--tutorial.md18
5 files changed, 129 insertions, 53 deletions
diff --git a/TODO.md b/TODO.md
new file mode 120000
index 0000000..3f6dfa6
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1 @@
+todo.md \ No newline at end of file
diff --git a/index.md b/index.md
index 59837fe..6540e1a 100644
--- a/index.md
+++ b/index.md
@@ -5,14 +5,17 @@ attached bootloader in order to make more difficult to tamper the initialization
process. Bootless is a bootloader installed in a removable media and used to
initialize computers.
-It offers partial protection against the so-called [evil maid
-attacks](https://en.wikipedia.org/wiki/Evil_maid_attack).
+It offers partial protection against the so-called [evil maid attacks][], which
+basically consists in compromising the boot procedure on unnattended machines.
-- [Repository](https://git.fluxo.info/bootless).
-- [Tutorial](tutorial).
-- [References](references).
-- License: [GPLv3+](LICENSE).
-- Contact: rhatto at riseup.net.
+* [Repository](https://git.fluxo.info/bootless).
+* [Tutorial](tutorial).
+* [References](references).
+* [TODO](todo).
+* License: [GPLv3+](LICENSE).
+* Contact: rhatto at riseup.net.
+
+[evil maid attacks]: https://en.wikipedia.org/wiki/Evil_maid_attack
## Design
@@ -27,9 +30,10 @@ images.
## Dependencies
-- [GNU Grub](https://www.gnu.org/software/grub/).
-- Reference implementation is targeted to Debian like operating systems.
-- Optionally use git and [git-annex](http://git-annex.branchable.com/) to manage your repository and images.
+* [GNU Grub](https://www.gnu.org/software/grub/).
+* Reference implementation is targeted to Debian like operating systems.
+* Optionally use git and [git-annex](http://git-annex.branchable.com/) to
+ manage your repository and images.
## Installation
@@ -70,8 +74,8 @@ Check device/image signatures:
## Customization
-- Place your custom images into `custom` folder.
-- Edit `custom/custom.cfg` to suit your needs.
+* Place your custom images into `custom` folder.
+* Edit `custom/custom.cfg` to suit your needs.
## Threat Model
@@ -83,7 +87,9 @@ Check device/image signatures:
2. Infection is still possible in plenty of unencrypted/unauthenticated
software residing in the machine, such as BIOS, network firmware and
- potential backdoors such as Intel's AMT/ME.
+ potential backdoors such as Intel's AMT/ME. Nowadays seems like there
+ are plenty of places were malicious code can be placed, not to say
+ about the many ways miniaturized hardware can be implanted.
3. The USB stick itself is not a static device: it's has a built-in controller
that could be exploited to present to your computer a compromised kernel or
@@ -96,8 +102,8 @@ Again:
to be significantly smaller to do their jobs and optionally also load
an operating system (in case it's intended not to be noticed).
-* Spyware could still be installed in the firware or in specialized harware,
- which are plentyful in current computers.
+* Spyware could still be installed in the firmware or in specialized hardware,
+ which are plentiful in current computers.
### Additional mitigations
@@ -125,7 +131,9 @@ Again:
or switching the "rfkill" button in laptops), preventing any bootloader exploit
that to broadcast keystrokes.
-6. Implement "Physically Unclonable Functions" at your device:
+6. Implement [Physically Unclonable Functions][] (PUF) at your device:
* [Thwarting Evil Maid Attacks](https://media.ccc.de/v/30C3_-_5600_-_en_-_saal_1_-_201312301245_-_thwarting_evil_maid_attacks_-_eric_michaud_-_ryan_lackey#t=2616) (30C3).
* [Don't Want Your Laptop Tampered With? Just Add Glitter Nail Polish](https://www.wired.com/2013/12/better-data-security-nail-polish/).
* [Home-made tamper-evident security seals for kids and adults alike](http://blog.ssokolow.com/archives/2017/04/08/home-made-tamper-evident-security-seals-for-kids-and-adults-alike/).
+
+[Physically Unclonable Functions]: https://en.wikipedia.org/wiki/Physical_unclonable_function
diff --git a/references.md b/references.md
index 19c911d..1314b3a 100644
--- a/references.md
+++ b/references.md
@@ -1,40 +1,83 @@
[[!meta title="Bootless: references"]]
-Grub:
+## GNU Grub
-- [Bootable grub USB stick (EFI and BIOS for Intel)](http://debian-administration.org/users/dkg/weblog/112).
-- [Grub2](https://help.ubuntu.com/community/Grub2) (Ubuntu Help).
-- [GRUB2 Manual](http://grub.enbug.org/Manual) (Wiki).
-- [Using GRUB to Set Up the Boot Process](http://www.linuxfromscratch.org/lfs/view/development/chapter08/grub.html).
-- [GNU Grub Manual](http://www.gnu.org/software/grub/manual/grub.html).
-- On `cryptopts`: ([1](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), [2](http://manpages.ubuntu.com/manpages/lucid/man8/initramfs-tools.8.html), [3](http://solvedlinuxissues.blogspot.com.br/2011/11/encrypted-ubuntu-filesystem-on-logical.html), [4](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147), [5](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358452)), see `/usr/share/doc/cryptsetup/README.initramfs.gz` for details.
+* [Bootable grub USB stick (EFI and BIOS for Intel)](http://debian-administration.org/users/dkg/weblog/112).
+* [Grub2](https://help.ubuntu.com/community/Grub2) (Ubuntu Help).
+* [GRUB2 Manual](http://grub.enbug.org/Manual) (Wiki).
+* [Using GRUB to Set Up the Boot Process](http://www.linuxfromscratch.org/lfs/view/development/chapter08/grub.html).
+* [GNU Grub Manual](http://www.gnu.org/software/grub/manual/grub.html).
+* On `cryptopts`: ([1](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), [2](http://manpages.ubuntu.com/manpages/lucid/man8/initramfs-tools.8.html), [3](http://solvedlinuxissues.blogspot.com.br/2011/11/encrypted-ubuntu-filesystem-on-logical.html), [4](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147), [5](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358452)), see `/usr/share/doc/cryptsetup/README.initramfs.gz` for details.
-Boot:
+## Boot
-- [Auto-booting and Securing a Linux Server with an Encrypted Filesystem](http://serverfault.com/questions/34794/auto-booting-and-securing-a-linux-server-with-an-encrypted-filesystem).
-- [#348147 - Allow subscripts to alter ROOT (was: Add support for cryptoroot) - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147) ([crypt_root and real_root on gentoo](http://wiki.gentoo.org/wiki/Genkernel)).
+* [Auto-booting and Securing a Linux Server with an Encrypted Filesystem](http://serverfault.com/questions/34794/auto-booting-and-securing-a-linux-server-with-an-encrypted-filesystem).
+* [#348147 - Allow subscripts to alter ROOT (was: Add support for cryptoroot) - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147) ([crypt_root and real_root on gentoo](http://wiki.gentoo.org/wiki/Genkernel)).
-Images:
+## Images
-- [How can I mount a disk image?](http://superuser.com/questions/344899/how-can-i-mount-a-disk-image).
-- [GRUB 2 - OSDev](http://wiki.osdev.org/GRUB_2): instalando o grub em várias mídias distintas.
-- [Disk mounting](http://www.noah.org/wiki/Disk_mounting).
-- [Loop-mounting partitions from a disk image](http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/).
+* [How can I mount a disk image?](http://superuser.com/questions/344899/how-can-i-mount-a-disk-image).
+* [GRUB 2 - OSDev](http://wiki.osdev.org/GRUB_2): instalando o grub em várias mídias distintas.
+* [Disk mounting](http://www.noah.org/wiki/Disk_mounting).
+* [Loop-mounting partitions from a disk image](http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/).
-UEFI:
+## UEFI
-- [gummiboot](http://freedesktop.org/wiki/Software/gummiboot/).
-- [booting a self-signed Linux kernel | The Linux Foundation](http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel).
+* [gummiboot](http://freedesktop.org/wiki/Software/gummiboot/).
+* [booting a self-signed Linux kernel | The Linux Foundation](http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel).
-Security:
+## Security
-- [implementing the evil maid attack on linux with Luks - Pollux's blog](https://www.wzdftpd.net/blog/index.php?post/2009/10/28/44-implementing-the-evil-maid-attack-on-linux-with-luks).
+* [implementing the evil maid attack on linux with Luks - Pollux's blog](https://www.wzdftpd.net/blog/index.php?post/2009/10/28/44-implementing-the-evil-maid-attack-on-linux-with-luks).
-Full Disk Encryption:
+## Full Disk Encryption
-- [Grub Crypt · Grub with crypto enhancements](http://grub.johnlane.ie/).
-- [Yet Another Full Disk Encryption with Ubuntu 11.10 | On Science and Technology](https://archimedesden.wordpress.com/2011/10/21/yet-another-full-disk-encryption-with-ubuntu-11-10/).
-- [MissingLink.xyz - Tutorial: GRUB2 Cryptomount](http://missinglink.xyz/grub2-bootloader/understanding-grub2-cryptomount/).
-- [Ubuntu Full Disk Encryption (FDE) with encrypted /boot](http://missinglink.xyz/security/tutorial-debianubuntu-full-disk-encryption-luks-fde-including-encrypted-boot/)
-- [Full disk encryption with LUKS (including /boot) · Pavel Kogan](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/).
-- [Full-Crypto setup with GRUB2](http://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/)
+* [Grub Crypt · Grub with crypto enhancements](http://grub.johnlane.ie/).
+* [Yet Another Full Disk Encryption with Ubuntu 11.10 | On Science and Technology](https://archimedesden.wordpress.com/2011/10/21/yet-another-full-disk-encryption-with-ubuntu-11-10/).
+* [MissingLink.xyz - Tutorial: GRUB2 Cryptomount](http://missinglink.xyz/grub2-bootloader/understanding-grub2-cryptomount/).
+* [Ubuntu Full Disk Encryption (FDE) with encrypted /boot](http://missinglink.xyz/security/tutorial-debianubuntu-full-disk-encryption-luks-fde-including-encrypted-boot/)
+* [Full disk encryption with LUKS (including /boot) · Pavel Kogan](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/).
+* [Full-Crypto setup with GRUB2](http://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/)
+
+## LUKS
+
+* [Linux Unified Key Setup - Wikipedia](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)
+
+### LUKS 2 and Argon2id
+
+General information:
+
+* mjg59: [PSA: upgrade your LUKS key derivation function][]
+* [Une lettre d’Ivan, enfermé à la prison de Villepinte : perquisitions et disques durs déchiffrés » Indymedia Nantes](https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/)
+* [Password Storage - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
+* [GitHub - CyberKnight00/Argon2_Cracker: Argon2 Hash Cracker](https://github.com/CyberKnight00/Argon2_Cracker)
+* [An information theoretic model of privacy and security metrics — GNU MediaGoblin](https://media.libreplanet.org/u/libreplanet/m/an-information-theoretic-model-of-privacy-and-security-metrics/)
+* [Debian -- Details of package grub-pc in bookworm](https://packages.debian.org/bookworm/grub-pc)
+
+Relevant references:
+
+* [Enable LUKS2 and Argon2 Support for Packages - Gentoo Configuration Guide: Full Disk LUKS2 with GRUB and systemd - Leo3418's Personal Site](https://leo3418.github.io/collections/gentoo-config-luks2-grub-systemd/packages.html)
+* [Tails - Weak cryptographic parameters in LUKS1](https://tails.net/security/argon2id/index.en.html)
+
+Bug reports:
+
+* [GNU GRUB - Bugs: bug #55093, Add LUKS2 support](https://savannah.gnu.org/bugs/?55093)
+
+Existing patches for GRUB:
+
+* [AUR (en) - grub-improved-luks2-git](https://aur.archlinux.org/packages/grub-improved-luks2-git)
+* [Support Argon2 KDF in LUKS2](https://lists.gnu.org/archive/html/grub-devel/2021-08/msg00027.html)
+* [Re: GRUB 2.12 release - update](https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00094.html)
+
+Workarounds to use LUKS2 and Argon2id on boot devices:
+
+* [How to install debian 12 with full disk (boot too) luks2 encryption grub2, lvm UEFI? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/753886/how-to-install-debian-12-with-full-disk-boot-too-luks2-encryption-grub2-lvm-u)
+* [Here's how to use grub2-git and argon2id for encrypted boot : r/NixOS](https://www.reddit.com/r/NixOS/comments/12wqedo/heres_how_to_use_grub2git_and_argon2id_for/)
+* [encryption - GRUB alternative for LUKS2 with Argon2ID support - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/633713/grub-alternative-for-luks2-with-argon2id-support)
+* [Enable LUKS2 and Argon2 support for Grub in Manjaro/Arch | Ming Di Leom's Blog](https://mdleom.com/blog/2022/11/27/grub-luks2-argon2/)
+
+Systems that already support it (but nos as FDE):
+
+* [Tails 5.14 is out! (2023-06-13) - General Discussion - Tor Project Forum](https://forum.torproject.org/t/tails-5-14-is-out-2023-06-13/7986)
+
+[PSA: upgrade your LUKS key derivation function]: https://mjg59.dreamwidth.org/66429.html
diff --git a/todo.md b/todo.md
new file mode 100644
index 0000000..de2cb38
--- /dev/null
+++ b/todo.md
@@ -0,0 +1,26 @@
+[[!meta title="Bootless: TODO"]]
+
+## Support for Full Disk Encryption with LUKS version 2 with Argon2id
+
+### About
+
+This is a major task that need to be evaluated, since currently (as of
+2024-07-13) [GNU Grub][] does not natively supports LUKS 2 and Argon2id.
+
+This can be either implemented as a patch with a custom [GNU Grub][]
+build, or wait for an official implementation.
+
+### Status
+
+* As of 2024-07-13, the GRUB packages for Debian bookworm still does not have
+ support for luks2 and argon2id.
+* This means that Full Disk Encryption won't work along with luks2 and argon2id
+ when using vanilla GRUB packages from Debian.
+* But it's now possible to migrate non-boot volumes.
+
+### References
+
+References on LUKS 2 and Argon2id are available in the [references](references)
+page.
+
+[GNU Grub]: https://www.gnu.org/software/grub/
diff --git a/tutorial.md b/tutorial.md
index a504586..d275adb 100644
--- a/tutorial.md
+++ b/tutorial.md
@@ -2,33 +2,31 @@
This tutorial helps you to build a Grub USB stick to boot your operating systems.
-Create basic folder structure
------------------------------
+# Create basic folder structure
mkdir -p bootless/boot/{grub,custom}
wget https://git.fluxo.info/bootless/plain/templates/grub.cfg -O bootless/boot/grub/grub.cfg
wget https://git.fluxo.info/bootless/plain/templates/custom.cfg -O bootless/boot/custom/custom.cfg
-Customize
----------
+# Customize
Please check and customize the downloaded configuration above. The defaults:
* Have examples to help customizations.
* Allows you to load into Grub and boot your OS using the grub shell.
-* Provides two functions, `bootfde` and `bootimg` to simplify booting your encrypted system.
+* Provides two functions, `bootfde` and `bootimg` to simplify booting your
+ encrypted system.
-You may also place custom images into the USB stick -- with the drawback to have to keep them up-to-date:
+You may also place custom images into the USB stick -- with the drawback to
+have to keep them up-to-date:
cp -r /boot /tmp/bootless/custom/debian
-Create a bootable image
------------------------
+# Create a bootable image
grub-mkrescue -o bootless.iso bootless
-Record the image into the USB stick
------------------------------------
+# Record the image into the USB stick
**WARNING!** This will irrevocably replace the contents of your USB stick. Pay
attention to get the right device. If your USB stick is attached to your