Re: [Libreboot] Libreplanet keynote questions

[Daniel Tarrero]

On Thu, Mar 17, 2016 at 10:24:18PM -0600, Isaac David wrote:
> 
> 
> Le jeu. 17 mars 2016 à 16:08, Will Hill <address@hidden> a écrit :
> >On Tuesday 15 March 2016, Denis 'GNUtoo' Carikli wrote:
> >> For instance I'm personally very interested in activists threat model,
> >> that includes resisting to targeted physical attacks.
> >>
> >> Currently, the most used setup (to my knowledge) to resist such attacks
> >> consists in:
> >> - An FSF certified computer with libreboot.
> >> - GRUB in the BIOS flash, that can open encrypted rootfs.
> >> ...
> >
> >What's the advantage of GRUB in BIOS rather than root FS?
> 
> GRUB is never installed to the root filesystem AFAIK, only the config
> usually is; but storing GRUB in flash allows you to encrypt the whole hard
> disk. Overwriting the flash chip can be a bit harder than overwriting a few
> sectors in your hard disk; some BIOS chips can be set to read-only, etc. If
> an attacker gets his hands on GRUB he can learn your encryption password or
> trick you into loading a compromised kernel.
> 

hi!

maybe i can clarify a little the boot process!

******

PRE UEFI

BIOS is on charge of enumerating and mapping hardware, in a very early boot
step.

Then it point the execution to the device (given it's bios config, maybe hard 
drive).

In this drive should be the boot record (aka GRUB! or other like Lilo, or the 
Windows MBR).

Till here, there "cant" be encrypt because we have no decryption capabilities. 
Here Grub will
chainload "INITRD" which is a modularized capability loader (like raid support, 
text to speech, or... yeah, encryption).

From there you point to (the same or other) drive with O.S. and boot as known.

********

The problem with this is, that GRUB/INITRD must be on a unencrypted place, and 
they are in the very early boot stage.
So tamper the grub, tamper the system :,(

Some people store it's grub in separate disk, sometimes read only (SD cards).

As somebody tell, grub has "it's files and configs in /boot, /etc/grub and 
/etc/default/grub.
But also, when you perform a "grub-update" its saved in a binary format in the 
already known MBR of some drive.

As we saw, when bios points to drive this grub/MBR is the first being executed.
From there it mounts /boot and chainloads INITRD.

******

UEFI

UEFI come to "solve this"
uefi comes with a specially crafted /boot partition, where all O.S. should 
place their Boot Managers.
This partition can be write protected from BIOS config, and also its contents 
(grub, lilo, etc) can
be signed and verified on boot given internal Certification Authority.

All this in theory, lof of bugs and stuff to do.

*******



So.... 

can grub be in the root filesystem?
the program yes, the Boot Record in pre-uefi systems no, the boot record in 
uefi systems neither

grub program itself can be everywhere
the boot record it generates to boot the machine, in pre-uefi systems, will be 
stored in the begin of some drive.
in uefi systems, this record will be inside the efi partition alongside with 
other O.S. boot records


And...

Grub in BIOS?

i think it's an approach to be sure which boot record are you using.
more simple should be the "MBR/grub-update" to an external SD card, read-only 
by hardware (also removable ;)


good morning!
D