From 80071d0ed7ee04054ad244d89ec6fbe2bd3ca7ba Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 1 Oct 2017 17:20:27 -0300 Subject: Change markdown extension to .md --- index.md | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ index.mdwn | 95 --------------------------------------------------------- references.md | 40 ++++++++++++++++++++++++ references.mdwn | 40 ------------------------ tutorial.md | 37 ++++++++++++++++++++++ tutorial.mdwn | 37 ---------------------- 6 files changed, 172 insertions(+), 172 deletions(-) create mode 100644 index.md delete mode 100644 index.mdwn create mode 100644 references.md delete mode 100644 references.mdwn create mode 100644 tutorial.md delete mode 100644 tutorial.mdwn diff --git a/index.md b/index.md new file mode 100644 index 0000000..7e202ba --- /dev/null +++ b/index.md @@ -0,0 +1,95 @@ +[[!meta title="Bootless: evil maid mitigator"]] + +Bootless is a scheme allowing a computer with encrypted disk to stay without +attached bootloader in order to make more difficult to tamper the initialization +process. Bootless is a bootloader installed in a removable media and used to +initialize computers. + +- [Repository](https://git.fluxo.info/bootless). +- [Tutorial](tutorial). +- [References](references). +- License: [GPLv3+](LICENSE). +- Contact: rhatto at riseup.net. + +Design +------ + +The user has at least one USB thumb drive which will be used to boot multiple +operating systems in multiple machines for multiple different projects/farms +(personal, work, hackerspace, etc). User keeps the bootless thumb drive in +a safe place protected from physical intrusions. + +The `bootless` application wraps around `grub-mkrescue` to create a USB +bootdisk with preloaded custom configuration and optional kernel and initramfs +images. + +Dependencies +------------ + +- [GNU Grub](https://www.gnu.org/software/grub/). +- Reference implementation is targeted to Debian like operating systems. +- Optionally use git and [git-annex](http://git-annex.branchable.com/) to manage your repository and images. + +Installation +------------ + +Don't want to install another piece of software and prefer to build a bootless +rescue disk yourself? Then read about the [barebones tutorial](tutorial). + +Just clone + + git clone https//git.fluxo.info/bootless + +You can also verify the latest commit's OpenPGP signature: + + /usr/bin/git -C kvmx verify-commit HEAD + +Note that `/usr/bin/git` is called to avoid any other `git` wrappers or aliases +you might have available on your shell. + +You can optionally add the `bootless` script it to your `$PATH` environment +variable or package it to your preferred distro. + +Workflow +-------- + +Initialize: + + bootless init [repository] + +Create an image: + + boootless image [image] + +Write image to thumb drive: + + boootless write + +Check device/image signatures: + + bootless check + +Customization +------------- + +- Place your custom images into `custom` folder. +- Edit `custom/custom.cfg` to suit your needs. + +Threat Model +------------ + +### Does bootless mitigate all types of Evil Maid attacks? No. + +1. It reduces the attack surface by placing the bootloader and images away from the physical machine and recommending you to use Full Disk Encryption (FDE) to store your operating system, swap and data. + +2. Infection is still possible in plenty of unencrypted/unauthenticated software residing in the machine, such as BIOS, network firmware and potential backdoors such as Intel's AMT/ME. + +3. The USB stick itself is not a static device: it's has a built-in controller that could be exploited to present to your computer a compromised kernel or initramfs ([BadUSB attacks](https://links.fluxo.info/tags/badusb)). + +### Additional mitigations + +3. For physical attempts to tamper with your bare metal, you might try to protect and monitor your perimeter. + +4. From inside threats such as preloaded backdoors in the hardware, the best you can do is to look for laboratory audits and build and use open hardware. + +- Check your boot using something like [anti-evil-maid](http://theinvisiblethings.blogspot.com.br/2011/09/anti-evil-maid.html) ([repository](https://github.com/QubesOS/qubes-antievilmaid)), [smartmonster](https://git.fluxo.info/smartmonster) ([original repository](https://github.com/ioerror/smartmonster)) or [chkboot](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#chkboot). diff --git a/index.mdwn b/index.mdwn deleted file mode 100644 index 7e202ba..0000000 --- a/index.mdwn +++ /dev/null @@ -1,95 +0,0 @@ -[[!meta title="Bootless: evil maid mitigator"]] - -Bootless is a scheme allowing a computer with encrypted disk to stay without -attached bootloader in order to make more difficult to tamper the initialization -process. Bootless is a bootloader installed in a removable media and used to -initialize computers. - -- [Repository](https://git.fluxo.info/bootless). -- [Tutorial](tutorial). -- [References](references). -- License: [GPLv3+](LICENSE). -- Contact: rhatto at riseup.net. - -Design ------- - -The user has at least one USB thumb drive which will be used to boot multiple -operating systems in multiple machines for multiple different projects/farms -(personal, work, hackerspace, etc). User keeps the bootless thumb drive in -a safe place protected from physical intrusions. - -The `bootless` application wraps around `grub-mkrescue` to create a USB -bootdisk with preloaded custom configuration and optional kernel and initramfs -images. - -Dependencies ------------- - -- [GNU Grub](https://www.gnu.org/software/grub/). -- Reference implementation is targeted to Debian like operating systems. -- Optionally use git and [git-annex](http://git-annex.branchable.com/) to manage your repository and images. - -Installation ------------- - -Don't want to install another piece of software and prefer to build a bootless -rescue disk yourself? Then read about the [barebones tutorial](tutorial). - -Just clone - - git clone https//git.fluxo.info/bootless - -You can also verify the latest commit's OpenPGP signature: - - /usr/bin/git -C kvmx verify-commit HEAD - -Note that `/usr/bin/git` is called to avoid any other `git` wrappers or aliases -you might have available on your shell. - -You can optionally add the `bootless` script it to your `$PATH` environment -variable or package it to your preferred distro. - -Workflow --------- - -Initialize: - - bootless init [repository] - -Create an image: - - boootless image [image] - -Write image to thumb drive: - - boootless write - -Check device/image signatures: - - bootless check - -Customization -------------- - -- Place your custom images into `custom` folder. -- Edit `custom/custom.cfg` to suit your needs. - -Threat Model ------------- - -### Does bootless mitigate all types of Evil Maid attacks? No. - -1. It reduces the attack surface by placing the bootloader and images away from the physical machine and recommending you to use Full Disk Encryption (FDE) to store your operating system, swap and data. - -2. Infection is still possible in plenty of unencrypted/unauthenticated software residing in the machine, such as BIOS, network firmware and potential backdoors such as Intel's AMT/ME. - -3. The USB stick itself is not a static device: it's has a built-in controller that could be exploited to present to your computer a compromised kernel or initramfs ([BadUSB attacks](https://links.fluxo.info/tags/badusb)). - -### Additional mitigations - -3. For physical attempts to tamper with your bare metal, you might try to protect and monitor your perimeter. - -4. From inside threats such as preloaded backdoors in the hardware, the best you can do is to look for laboratory audits and build and use open hardware. - -- Check your boot using something like [anti-evil-maid](http://theinvisiblethings.blogspot.com.br/2011/09/anti-evil-maid.html) ([repository](https://github.com/QubesOS/qubes-antievilmaid)), [smartmonster](https://git.fluxo.info/smartmonster) ([original repository](https://github.com/ioerror/smartmonster)) or [chkboot](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#chkboot). diff --git a/references.md b/references.md new file mode 100644 index 0000000..19c911d --- /dev/null +++ b/references.md @@ -0,0 +1,40 @@ +[[!meta title="Bootless: references"]] + +Grub: + +- [Bootable grub USB stick (EFI and BIOS for Intel)](http://debian-administration.org/users/dkg/weblog/112). +- [Grub2](https://help.ubuntu.com/community/Grub2) (Ubuntu Help). +- [GRUB2 Manual](http://grub.enbug.org/Manual) (Wiki). +- [Using GRUB to Set Up the Boot Process](http://www.linuxfromscratch.org/lfs/view/development/chapter08/grub.html). +- [GNU Grub Manual](http://www.gnu.org/software/grub/manual/grub.html). +- On `cryptopts`: ([1](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), [2](http://manpages.ubuntu.com/manpages/lucid/man8/initramfs-tools.8.html), [3](http://solvedlinuxissues.blogspot.com.br/2011/11/encrypted-ubuntu-filesystem-on-logical.html), [4](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147), [5](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358452)), see `/usr/share/doc/cryptsetup/README.initramfs.gz` for details. + +Boot: + +- [Auto-booting and Securing a Linux Server with an Encrypted Filesystem](http://serverfault.com/questions/34794/auto-booting-and-securing-a-linux-server-with-an-encrypted-filesystem). +- [#348147 - Allow subscripts to alter ROOT (was: Add support for cryptoroot) - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147) ([crypt_root and real_root on gentoo](http://wiki.gentoo.org/wiki/Genkernel)). + +Images: + +- [How can I mount a disk image?](http://superuser.com/questions/344899/how-can-i-mount-a-disk-image). +- [GRUB 2 - OSDev](http://wiki.osdev.org/GRUB_2): instalando o grub em várias mídias distintas. +- [Disk mounting](http://www.noah.org/wiki/Disk_mounting). +- [Loop-mounting partitions from a disk image](http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/). + +UEFI: + +- [gummiboot](http://freedesktop.org/wiki/Software/gummiboot/). +- [booting a self-signed Linux kernel | The Linux Foundation](http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel). + +Security: + +- [implementing the evil maid attack on linux with Luks - Pollux's blog](https://www.wzdftpd.net/blog/index.php?post/2009/10/28/44-implementing-the-evil-maid-attack-on-linux-with-luks). + +Full Disk Encryption: + +- [Grub Crypt · Grub with crypto enhancements](http://grub.johnlane.ie/). +- [Yet Another Full Disk Encryption with Ubuntu 11.10 | On Science and Technology](https://archimedesden.wordpress.com/2011/10/21/yet-another-full-disk-encryption-with-ubuntu-11-10/). +- [MissingLink.xyz - Tutorial: GRUB2 Cryptomount](http://missinglink.xyz/grub2-bootloader/understanding-grub2-cryptomount/). +- [Ubuntu Full Disk Encryption (FDE) with encrypted /boot](http://missinglink.xyz/security/tutorial-debianubuntu-full-disk-encryption-luks-fde-including-encrypted-boot/) +- [Full disk encryption with LUKS (including /boot) · Pavel Kogan](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/). +- [Full-Crypto setup with GRUB2](http://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/) diff --git a/references.mdwn b/references.mdwn deleted file mode 100644 index 19c911d..0000000 --- a/references.mdwn +++ /dev/null @@ -1,40 +0,0 @@ -[[!meta title="Bootless: references"]] - -Grub: - -- [Bootable grub USB stick (EFI and BIOS for Intel)](http://debian-administration.org/users/dkg/weblog/112). -- [Grub2](https://help.ubuntu.com/community/Grub2) (Ubuntu Help). -- [GRUB2 Manual](http://grub.enbug.org/Manual) (Wiki). -- [Using GRUB to Set Up the Boot Process](http://www.linuxfromscratch.org/lfs/view/development/chapter08/grub.html). -- [GNU Grub Manual](http://www.gnu.org/software/grub/manual/grub.html). -- On `cryptopts`: ([1](http://www.c3l.de/linux/howto-completly-encrypted-harddisk-including-suspend-to-encrypted-disk-with-ubuntu-6.10-edgy-eft.html), [2](http://manpages.ubuntu.com/manpages/lucid/man8/initramfs-tools.8.html), [3](http://solvedlinuxissues.blogspot.com.br/2011/11/encrypted-ubuntu-filesystem-on-logical.html), [4](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147), [5](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358452)), see `/usr/share/doc/cryptsetup/README.initramfs.gz` for details. - -Boot: - -- [Auto-booting and Securing a Linux Server with an Encrypted Filesystem](http://serverfault.com/questions/34794/auto-booting-and-securing-a-linux-server-with-an-encrypted-filesystem). -- [#348147 - Allow subscripts to alter ROOT (was: Add support for cryptoroot) - Debian Bug report logs](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348147) ([crypt_root and real_root on gentoo](http://wiki.gentoo.org/wiki/Genkernel)). - -Images: - -- [How can I mount a disk image?](http://superuser.com/questions/344899/how-can-i-mount-a-disk-image). -- [GRUB 2 - OSDev](http://wiki.osdev.org/GRUB_2): instalando o grub em várias mídias distintas. -- [Disk mounting](http://www.noah.org/wiki/Disk_mounting). -- [Loop-mounting partitions from a disk image](http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/). - -UEFI: - -- [gummiboot](http://freedesktop.org/wiki/Software/gummiboot/). -- [booting a self-signed Linux kernel | The Linux Foundation](http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel). - -Security: - -- [implementing the evil maid attack on linux with Luks - Pollux's blog](https://www.wzdftpd.net/blog/index.php?post/2009/10/28/44-implementing-the-evil-maid-attack-on-linux-with-luks). - -Full Disk Encryption: - -- [Grub Crypt · Grub with crypto enhancements](http://grub.johnlane.ie/). -- [Yet Another Full Disk Encryption with Ubuntu 11.10 | On Science and Technology](https://archimedesden.wordpress.com/2011/10/21/yet-another-full-disk-encryption-with-ubuntu-11-10/). -- [MissingLink.xyz - Tutorial: GRUB2 Cryptomount](http://missinglink.xyz/grub2-bootloader/understanding-grub2-cryptomount/). -- [Ubuntu Full Disk Encryption (FDE) with encrypted /boot](http://missinglink.xyz/security/tutorial-debianubuntu-full-disk-encryption-luks-fde-including-encrypted-boot/) -- [Full disk encryption with LUKS (including /boot) · Pavel Kogan](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/). -- [Full-Crypto setup with GRUB2](http://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/) diff --git a/tutorial.md b/tutorial.md new file mode 100644 index 0000000..a504586 --- /dev/null +++ b/tutorial.md @@ -0,0 +1,37 @@ +[[!meta title="Bootless: barebones tutorial"]] + +This tutorial helps you to build a Grub USB stick to boot your operating systems. + +Create basic folder structure +----------------------------- + + mkdir -p bootless/boot/{grub,custom} + wget https://git.fluxo.info/bootless/plain/templates/grub.cfg -O bootless/boot/grub/grub.cfg + wget https://git.fluxo.info/bootless/plain/templates/custom.cfg -O bootless/boot/custom/custom.cfg + +Customize +--------- + +Please check and customize the downloaded configuration above. The defaults: + +* Have examples to help customizations. +* Allows you to load into Grub and boot your OS using the grub shell. +* Provides two functions, `bootfde` and `bootimg` to simplify booting your encrypted system. + +You may also place custom images into the USB stick -- with the drawback to have to keep them up-to-date: + + cp -r /boot /tmp/bootless/custom/debian + +Create a bootable image +----------------------- + + grub-mkrescue -o bootless.iso bootless + +Record the image into the USB stick +----------------------------------- + +**WARNING!** This will irrevocably replace the contents of your USB stick. Pay +attention to get the right device. If your USB stick is attached to your +computer and reachable through `/dev/sdb`, you just have to run + + sudo dd if=bootless.iso of=/dev/sdb diff --git a/tutorial.mdwn b/tutorial.mdwn deleted file mode 100644 index a504586..0000000 --- a/tutorial.mdwn +++ /dev/null @@ -1,37 +0,0 @@ -[[!meta title="Bootless: barebones tutorial"]] - -This tutorial helps you to build a Grub USB stick to boot your operating systems. - -Create basic folder structure ------------------------------ - - mkdir -p bootless/boot/{grub,custom} - wget https://git.fluxo.info/bootless/plain/templates/grub.cfg -O bootless/boot/grub/grub.cfg - wget https://git.fluxo.info/bootless/plain/templates/custom.cfg -O bootless/boot/custom/custom.cfg - -Customize ---------- - -Please check and customize the downloaded configuration above. The defaults: - -* Have examples to help customizations. -* Allows you to load into Grub and boot your OS using the grub shell. -* Provides two functions, `bootfde` and `bootimg` to simplify booting your encrypted system. - -You may also place custom images into the USB stick -- with the drawback to have to keep them up-to-date: - - cp -r /boot /tmp/bootless/custom/debian - -Create a bootable image ------------------------ - - grub-mkrescue -o bootless.iso bootless - -Record the image into the USB stick ------------------------------------ - -**WARNING!** This will irrevocably replace the contents of your USB stick. Pay -attention to get the right device. If your USB stick is attached to your -computer and reachable through `/dev/sdb`, you just have to run - - sudo dd if=bootless.iso of=/dev/sdb -- cgit v1.2.3