[BACK]Return to cgdroot.mdwn CVS log [TXT] [DIR] Up to [NetBSD Developer Wiki] / wikisrc / security

Diff for /wikisrc/security/cgdroot.mdwn between versions 1.5 and 1.6

version 1.5, 2016/06/22 08:54:30 version 1.6, 2016/06/22 09:02:18
Line 71  The biggest (known) issue with this setu Line 71  The biggest (known) issue with this setu
   
 This setup is not entirely safe against physical attacks. An attacker can modify the boot process to store the passphrase for later retrieval, or insert a backdoor while booting. To defend against such attacks, the bootloader, kernel and ramdisk all need to be signed and their integrity checked before booting (eg with [[!template id=man name="tpm" section="4"]]). Alternatively, it is possible to boot from a removable medium (eg USB stick), which can be protected against tampering attacks (eg secure storage, read-only volume...).  This setup is not entirely safe against physical attacks. An attacker can modify the boot process to store the passphrase for later retrieval, or insert a backdoor while booting. To defend against such attacks, the bootloader, kernel and ramdisk all need to be signed and their integrity checked before booting (eg with [[!template id=man name="tpm" section="4"]]). Alternatively, it is possible to boot from a removable medium (eg USB stick), which can be protected against tampering attacks (eg secure storage, read-only volume...).
   
   It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration).
   
 References  References
 ----------  ----------
   
Removed from v.1.5  
changed lines
  Added in v.1.6

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb