160
submitted 11 months ago by fl42v@lemmy.ml to c/linuxmemes@lemmy.world
top 9 comments
sorted by: hot top controversial new old
[-] BautAufWasEuchAufbaut@lemmy.blahaj.zone 19 points 11 months ago* (last edited 11 months ago)

LUKS doesn't protect you from an evil maid attack. It hides your data when your stuff gets stolen in a powered off state, but it provides neither verification of data, nor does it provide verified/secure/safe boot.
In simple terms: the very first thing which gets loaded needs to be unencrypted (barring some exceptions I will omit here), which can get replaced with an evil version by the evil maid.

[-] redditReallySucks@lemmy.dbzer0.com 3 points 11 months ago

Is it even possible to mitigate such an issue? Will resetting the bios by removing the cmos battery not also disable password protection in the bios thus making it possible to disable secure boot?

And at that point could they not just use a hardware keylogger or something?

[-] BautAufWasEuchAufbaut@lemmy.blahaj.zone 2 points 11 months ago* (last edited 11 months ago)

Yes, with a TPM. A TPM (2.0) can seal secrets and only release it when a machine fulfills certain configuration and state requirements (saved into registers called PCRs).
For example: make the decryption key one part dependant on a passphrase you memorized (to not only rely on a TPM), and one part on something saved in a TPM. If you select the correct PCRs when saving the latter, and your TPM works as advertised (and doesn't offer an easy way to eavesdrop/fool it), removing the battery would make the TPM not release the secret (if removing the battery even still works on modern machines).
However, this depends on having a unified kernel image, having configured dm-verity and maybe more stuff I don't recall right now. Probably should also make sure you don't allow Microsoft's Secure Boot keys and instead only your own. I hope this will get easier in the future, but I know SystemD is actively developing useful tools for that (e.g. ukify).
That all doesn't mean the critique of TPMs (intransparent, proprietary) is invalid. Maybe we'll have OpenTitan based TPMs at some point?

[-] ff00ff@lemmy.world 1 points 11 months ago

can't it be done with a security key, like yubikey or similar?

I think Heads (osresearch.net) uses security keys as a kind of substitute TPM, however that only works if you replace your - supported - PCs firmware with it.
I don't know too much about how this works in particular, so I can't really compare it. safeboot.dev recommends Heads where possible, which I understand is partly due to safeboot relying on proprietary firmware implementations, while Heads uses libre software for the most part. Sadly the Heads firmware only supports older models/CPUs, which afaik don't receive (all) microcode updates, including one which weakens the IOMMU.

See safeboot.dev for a project which tries to fix this.

[-] 9tr6gyp3@lemmy.world 2 points 11 months ago

You can also check out the sbctl package.

[-] fl42v@lemmy.ml 1 points 11 months ago

Well, yeah, luks + sb with custom keys + auto-lock when a usb gets ejected or smth is preferable

[-] LainOfTheWired@lemy.lol 5 points 11 months ago

Man I didn't know evil made attacks were so easy to spot!

this post was submitted on 24 Jan 2024
160 points (90.8% liked)

linuxmemes

21282 readers
467 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
  •  

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 2 years ago
    MODERATORS