|
version 1.9, 2017/02/10 10:54:56
|
version 1.12, 2017/02/10 11:02:28
|
|
Line 5 It is possible to run NetBSD with [compl
|
Line 5 It is possible to run NetBSD with [compl
|
| |
|
| The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). Full disk encryption would make it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). Full disk encryption would make it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
| |
|
| |
The NetBSD Guide contains [an entire section about CGD][2]. |
| |
|
| The boot process |
The boot process |
| ---------------- |
---------------- |
| |
|
|
Line 27 really ran from a chroot in `/altroot`.
|
Line 29 really ran from a chroot in `/altroot`.
|
| Obtaining the kernel module |
Obtaining the kernel module |
| --------------------------- |
--------------------------- |
| |
|
| The `cgdroot.kmod` kernel module is part of the regular NetBSD releases since NetBSD 7.0. It can be found in the `<arch>/installation/miniroot` folder from the release. For instance, for the amd64 architecture on the German mirror for the 7.0.1 release, download it at (ftp://ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod). |
The `cgdroot.kmod` kernel module is part of the regular NetBSD releases since NetBSD 7.0. It can be found in the `<arch>/installation/miniroot` folder from the release. For instance, for the amd64 architecture on the German mirror for the 7.0.1 release, download it at [ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod](ftp://ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod). |
| |
|
| Configuring the kernel module |
Configuring the kernel module |
| ----------------------------- |
----------------------------- |
|
Line 68 Caveats
|
Line 70 Caveats
|
| |
|
| The biggest (known) issue with this setup occurs when firmware needs to be loaded early in the boot process (such as graphics drivers for the console). At the moment they need to be provided as part of the memory disk. Some network interfaces, of which some wireless devices in particular, also require loading firmware to work properly. |
The biggest (known) issue with this setup occurs when firmware needs to be loaded early in the boot process (such as graphics drivers for the console). At the moment they need to be provided as part of the memory disk. Some network interfaces, of which some wireless devices in particular, also require loading firmware to work properly. |
| |
|
| This setup is not entirely safe against physical attacks. An attacker can modify the boot process to store the passphrase for later retrieval, or insert a backdoor while booting. To defend against such attacks, the bootloader, kernel and ramdisk all need to be signed and their integrity checked before booting (eg with [[!template id=man name="tpm" section="4"]]). Alternatively, it is possible to boot from a removable medium (eg USB stick), which can be protected against tampering attacks (eg secure storage, read-only volume...). |
This setup is not entirely safe against physical attacks. An attacker can modify the boot process to store the passphrase for later retrieval, or insert a backdoor while booting. To defend against such attacks, the bootloader, kernel and ramdisk all need to be signed and their integrity checked before booting (e.g. with [[!template id=man name="tpm" section="4"]]). Alternatively, it is possible to boot from a removable medium (e.g. USB stick), which can be protected against tampering attacks (e.g. secure storage, read-only volume...). |
| |
|
| It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration). |
It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration). |
| |
|
|
Line 76 References
|
Line 78 References
|
| ---------- |
---------- |
| |
|
| * [Full Disk Encryption with cgd (well, almost)][1] |
* [Full Disk Encryption with cgd (well, almost)][1] |
| |
* [The cryptographic device driver (CGD)][2] |
| |
|
| [1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)" |
[1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)" |
| |
[2]: http://www.netbsd.org/docs/guide/en/chap-cgd.html "The cryptographic device driver (CGD)" |
![[BACK]](/icons/back.gif){kind=icon}
Return to cgdroot.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security