From 16c4d7c30457f798470c0b92e81849599c69f049 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 13 Jul 2024 10:58:54 -0300 Subject: Improve docs, adds TODO page and more references --- TODO.md | 1 + index.md | 40 ++++++++++++++---------- references.md | 97 ++++++++++++++++++++++++++++++++++++++++++----------------- todo.md | 26 ++++++++++++++++ tutorial.md | 18 +++++------ 5 files changed, 129 insertions(+), 53 deletions(-) create mode 120000 TODO.md create mode 100644 todo.md diff --git a/TODO.md b/TODO.md new file mode 120000 index 0000000..3f6dfa6 --- /dev/null +++ b/TODO.md @@ -0,0 +1 @@ +todo.md \ No newline at end of file diff --git a/index.md b/index.md index 59837fe..6540e1a 100644 --- a/index.md +++ b/index.md @@ -5,14 +5,17 @@ attached bootloader in order to make more difficult to tamper the initialization process. Bootless is a bootloader installed in a removable media and used to initialize computers. -It offers partial protection against the so-called [evil maid -attacks](https://en.wikipedia.org/wiki/Evil_maid_attack). +It offers partial protection against the so-called [evil maid attacks][], which +basically consists in compromising the boot procedure on unnattended machines. -- [Repository](https://git.fluxo.info/bootless). -- [Tutorial](tutorial). -- [References](references). -- License: [GPLv3+](LICENSE). -- Contact: rhatto at riseup.net. +* [Repository](https://git.fluxo.info/bootless). +* [Tutorial](tutorial). +* [References](references). +* [TODO](todo). +* License: [GPLv3+](LICENSE). +* Contact: rhatto at riseup.net. + +[evil maid attacks]: https://en.wikipedia.org/wiki/Evil_maid_attack ## Design @@ -27,9 +30,10 @@ images. ## Dependencies -- [GNU Grub](https://www.gnu.org/software/grub/). -- Reference implementation is targeted to Debian like operating systems. -- Optionally use git and [git-annex](http://git-annex.branchable.com/) to manage your repository and images. +* [GNU Grub](https://www.gnu.org/software/grub/). +* Reference implementation is targeted to Debian like operating systems. +* Optionally use git and [git-annex](http://git-annex.branchable.com/) to + manage your repository and images. ## Installation @@ -70,8 +74,8 @@ Check device/image signatures: ## Customization -- Place your custom images into `custom` folder. -- Edit `custom/custom.cfg` to suit your needs. +* Place your custom images into `custom` folder. +* Edit `custom/custom.cfg` to suit your needs. ## Threat Model @@ -83,7 +87,9 @@ Check device/image signatures: 2. Infection is still possible in plenty of unencrypted/unauthenticated software residing in the machine, such as BIOS, network firmware and - potential backdoors such as Intel's AMT/ME. + potential backdoors such as Intel's AMT/ME. Nowadays seems like there + are plenty of places were malicious code can be placed, not to say + about the many ways miniaturized hardware can be implanted. 3. The USB stick itself is not a static device: it's has a built-in controller that could be exploited to present to your computer a compromised kernel or @@ -96,8 +102,8 @@ Again: to be significantly smaller to do their jobs and optionally also load an operating system (in case it's intended not to be noticed). -* Spyware could still be installed in the firware or in specialized harware, - which are plentyful in current computers. +* Spyware could still be installed in the firmware or in specialized hardware, + which are plentiful in current computers. ### Additional mitigations @@ -125,7 +131,9 @@ Again: or switching the "rfkill" button in laptops), preventing any bootloader exploit that to broadcast keystrokes. -6. Implement "Physically Unclonable Functions" at your device: +6. Implement [Physically Unclonable Functions][] (PUF) at your device: * [Thwarting Evil Maid Attacks](https://media.ccc.de/v/30C3_-_5600_-_en_-_saal_1_-_201312301245_-_thwarting_evil_maid_attacks_-_eric_michaud_-_ryan_lackey#t=2616) (30C3). * [Don't Want Your Laptop Tampered With? Just Add Glitter Nail Polish](https://www.wired.com/2013/12/better-data-security-nail-polish/). * [Home-made tamper-evident security seals for kids and adults alike](http://blog.ssokolow.com/archives/2017/04/08/home-made-tamper-evident-security-seals-for-kids-and-adults-alike/). + +[Physically Unclonable Functions]: https://en.wikipedia.org/wiki/Physical_unclonable_function diff --git a/references.md b/references.md index 19c911d..1314b3a 100644 --- a/references.md +++ b/references.md @@ -1,40 +1,83 @@ [[!meta title="Bootless: references"]] -Grub: +## GNU Grub -- [Bootable grub USB stick (EFI and BIOS for Intel)](http://debian-administration.org/users/dkg/weblog/112). -- [Grub2](https://help.ubuntu.com/community/Grub2) (Ubuntu Help). -- [GRUB2 Manual](http://grub.enbug.org/Manual) (Wiki). -- [Using GRUB to Set Up the Boot Process](http://www.linuxfromscratch.org/lfs/view/development/chapter08/grub.html). -- [GNU Grub Manual](http://www.gnu.org/software/grub/manual/grub.html). -- On `cryptopts`: ([1](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), [2](http://manpages.ubuntu.com/manpages/lucid/man8/initramfs-tools.8.html), [3](http://solvedlinuxissues.blogspot.com.br/2011/11/encrypted-ubuntu-filesystem-on-logical.html), [4](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147), [5](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358452)), see `/usr/share/doc/cryptsetup/README.initramfs.gz` for details. +* [Bootable grub USB stick (EFI and BIOS for Intel)](http://debian-administration.org/users/dkg/weblog/112). +* [Grub2](https://help.ubuntu.com/community/Grub2) (Ubuntu Help). +* [GRUB2 Manual](http://grub.enbug.org/Manual) (Wiki). +* [Using GRUB to Set Up the Boot Process](http://www.linuxfromscratch.org/lfs/view/development/chapter08/grub.html). +* [GNU Grub Manual](http://www.gnu.org/software/grub/manual/grub.html). +* On `cryptopts`: ([1](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), [2](http://manpages.ubuntu.com/manpages/lucid/man8/initramfs-tools.8.html), [3](http://solvedlinuxissues.blogspot.com.br/2011/11/encrypted-ubuntu-filesystem-on-logical.html), [4](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147), [5](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358452)), see `/usr/share/doc/cryptsetup/README.initramfs.gz` for details. -Boot: +## Boot -- [Auto-booting and Securing a Linux Server with an Encrypted Filesystem](http://serverfault.com/questions/34794/auto-booting-and-securing-a-linux-server-with-an-encrypted-filesystem). -- [#348147 - Allow subscripts to alter ROOT (was: Add support for cryptoroot) - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147) ([crypt_root and real_root on gentoo](http://wiki.gentoo.org/wiki/Genkernel)). +* [Auto-booting and Securing a Linux Server with an Encrypted Filesystem](http://serverfault.com/questions/34794/auto-booting-and-securing-a-linux-server-with-an-encrypted-filesystem). +* [#348147 - Allow subscripts to alter ROOT (was: Add support for cryptoroot) - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147) ([crypt_root and real_root on gentoo](http://wiki.gentoo.org/wiki/Genkernel)). -Images: +## Images -- [How can I mount a disk image?](http://superuser.com/questions/344899/how-can-i-mount-a-disk-image). -- [GRUB 2 - OSDev](http://wiki.osdev.org/GRUB_2): instalando o grub em várias mídias distintas. -- [Disk mounting](http://www.noah.org/wiki/Disk_mounting). -- [Loop-mounting partitions from a disk image](http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/). +* [How can I mount a disk image?](http://superuser.com/questions/344899/how-can-i-mount-a-disk-image). +* [GRUB 2 - OSDev](http://wiki.osdev.org/GRUB_2): instalando o grub em várias mídias distintas. +* [Disk mounting](http://www.noah.org/wiki/Disk_mounting). +* [Loop-mounting partitions from a disk image](http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/). -UEFI: +## UEFI -- [gummiboot](http://freedesktop.org/wiki/Software/gummiboot/). -- [booting a self-signed Linux kernel | The Linux Foundation](http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel). +* [gummiboot](http://freedesktop.org/wiki/Software/gummiboot/). +* [booting a self-signed Linux kernel | The Linux Foundation](http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel). -Security: +## Security -- [implementing the evil maid attack on linux with Luks - Pollux's blog](https://www.wzdftpd.net/blog/index.php?post/2009/10/28/44-implementing-the-evil-maid-attack-on-linux-with-luks). +* [implementing the evil maid attack on linux with Luks - Pollux's blog](https://www.wzdftpd.net/blog/index.php?post/2009/10/28/44-implementing-the-evil-maid-attack-on-linux-with-luks). -Full Disk Encryption: +## Full Disk Encryption -- [Grub Crypt · Grub with crypto enhancements](http://grub.johnlane.ie/). -- [Yet Another Full Disk Encryption with Ubuntu 11.10 | On Science and Technology](https://archimedesden.wordpress.com/2011/10/21/yet-another-full-disk-encryption-with-ubuntu-11-10/). -- [MissingLink.xyz - Tutorial: GRUB2 Cryptomount](http://missinglink.xyz/grub2-bootloader/understanding-grub2-cryptomount/). -- [Ubuntu Full Disk Encryption (FDE) with encrypted /boot](http://missinglink.xyz/security/tutorial-debianubuntu-full-disk-encryption-luks-fde-including-encrypted-boot/) -- [Full disk encryption with LUKS (including /boot) · Pavel Kogan](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/). -- [Full-Crypto setup with GRUB2](http://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/) +* [Grub Crypt · Grub with crypto enhancements](http://grub.johnlane.ie/). +* [Yet Another Full Disk Encryption with Ubuntu 11.10 | On Science and Technology](https://archimedesden.wordpress.com/2011/10/21/yet-another-full-disk-encryption-with-ubuntu-11-10/). +* [MissingLink.xyz - Tutorial: GRUB2 Cryptomount](http://missinglink.xyz/grub2-bootloader/understanding-grub2-cryptomount/). +* [Ubuntu Full Disk Encryption (FDE) with encrypted /boot](http://missinglink.xyz/security/tutorial-debianubuntu-full-disk-encryption-luks-fde-including-encrypted-boot/) +* [Full disk encryption with LUKS (including /boot) · Pavel Kogan](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/). +* [Full-Crypto setup with GRUB2](http://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/) + +## LUKS + +* [Linux Unified Key Setup - Wikipedia](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) + +### LUKS 2 and Argon2id + +General information: + +* mjg59: [PSA: upgrade your LUKS key derivation function][] +* [Une lettre d’Ivan, enfermé à la prison de Villepinte : perquisitions et disques durs déchiffrés » Indymedia Nantes](https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/) +* [Password Storage - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) +* [GitHub - CyberKnight00/Argon2_Cracker: Argon2 Hash Cracker](https://github.com/CyberKnight00/Argon2_Cracker) +* [An information theoretic model of privacy and security metrics — GNU MediaGoblin](https://media.libreplanet.org/u/libreplanet/m/an-information-theoretic-model-of-privacy-and-security-metrics/) +* [Debian -- Details of package grub-pc in bookworm](https://packages.debian.org/bookworm/grub-pc) + +Relevant references: + +* [Enable LUKS2 and Argon2 Support for Packages - Gentoo Configuration Guide: Full Disk LUKS2 with GRUB and systemd - Leo3418's Personal Site](https://leo3418.github.io/collections/gentoo-config-luks2-grub-systemd/packages.html) +* [Tails - Weak cryptographic parameters in LUKS1](https://tails.net/security/argon2id/index.en.html) + +Bug reports: + +* [GNU GRUB - Bugs: bug #55093, Add LUKS2 support](https://savannah.gnu.org/bugs/?55093) + +Existing patches for GRUB: + +* [AUR (en) - grub-improved-luks2-git](https://aur.archlinux.org/packages/grub-improved-luks2-git) +* [Support Argon2 KDF in LUKS2](https://lists.gnu.org/archive/html/grub-devel/2021-08/msg00027.html) +* [Re: GRUB 2.12 release - update](https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00094.html) + +Workarounds to use LUKS2 and Argon2id on boot devices: + +* [How to install debian 12 with full disk (boot too) luks2 encryption grub2, lvm UEFI? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/753886/how-to-install-debian-12-with-full-disk-boot-too-luks2-encryption-grub2-lvm-u) +* [Here's how to use grub2-git and argon2id for encrypted boot : r/NixOS](https://www.reddit.com/r/NixOS/comments/12wqedo/heres_how_to_use_grub2git_and_argon2id_for/) +* [encryption - GRUB alternative for LUKS2 with Argon2ID support - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/633713/grub-alternative-for-luks2-with-argon2id-support) +* [Enable LUKS2 and Argon2 support for Grub in Manjaro/Arch | Ming Di Leom's Blog](https://mdleom.com/blog/2022/11/27/grub-luks2-argon2/) + +Systems that already support it (but nos as FDE): + +* [Tails 5.14 is out! (2023-06-13) - General Discussion - Tor Project Forum](https://forum.torproject.org/t/tails-5-14-is-out-2023-06-13/7986) + +[PSA: upgrade your LUKS key derivation function]: https://mjg59.dreamwidth.org/66429.html diff --git a/todo.md b/todo.md new file mode 100644 index 0000000..de2cb38 --- /dev/null +++ b/todo.md @@ -0,0 +1,26 @@ +[[!meta title="Bootless: TODO"]] + +## Support for Full Disk Encryption with LUKS version 2 with Argon2id + +### About + +This is a major task that need to be evaluated, since currently (as of +2024-07-13) [GNU Grub][] does not natively supports LUKS 2 and Argon2id. + +This can be either implemented as a patch with a custom [GNU Grub][] +build, or wait for an official implementation. + +### Status + +* As of 2024-07-13, the GRUB packages for Debian bookworm still does not have + support for luks2 and argon2id. +* This means that Full Disk Encryption won't work along with luks2 and argon2id + when using vanilla GRUB packages from Debian. +* But it's now possible to migrate non-boot volumes. + +### References + +References on LUKS 2 and Argon2id are available in the [references](references) +page. + +[GNU Grub]: https://www.gnu.org/software/grub/ diff --git a/tutorial.md b/tutorial.md index a504586..d275adb 100644 --- a/tutorial.md +++ b/tutorial.md @@ -2,33 +2,31 @@ This tutorial helps you to build a Grub USB stick to boot your operating systems. -Create basic folder structure ------------------------------ +# Create basic folder structure mkdir -p bootless/boot/{grub,custom} wget https://git.fluxo.info/bootless/plain/templates/grub.cfg -O bootless/boot/grub/grub.cfg wget https://git.fluxo.info/bootless/plain/templates/custom.cfg -O bootless/boot/custom/custom.cfg -Customize ---------- +# Customize Please check and customize the downloaded configuration above. The defaults: * Have examples to help customizations. * Allows you to load into Grub and boot your OS using the grub shell. -* Provides two functions, `bootfde` and `bootimg` to simplify booting your encrypted system. +* Provides two functions, `bootfde` and `bootimg` to simplify booting your + encrypted system. -You may also place custom images into the USB stick -- with the drawback to have to keep them up-to-date: +You may also place custom images into the USB stick -- with the drawback to +have to keep them up-to-date: cp -r /boot /tmp/bootless/custom/debian -Create a bootable image ------------------------ +# Create a bootable image grub-mkrescue -o bootless.iso bootless -Record the image into the USB stick ------------------------------------ +# Record the image into the USB stick **WARNING!** This will irrevocably replace the contents of your USB stick. Pay attention to get the right device. If your USB stick is attached to your -- cgit v1.2.3