Thursday, August 31, 2017

oh please...who want to read Black Hat Mossad...? PART II ANGELFIRE NSA (There is a small caveat for systemd. At the time of writing, the original chkboot.sh script provided contains an empty space at the beginning of #!/bin/bash which has to be removed for the service to start successfully.)

chkboot

Warning: chkboot makes a /boot partition tamper-evident, not tamper-proof. By the time the chkboot script is run, you have already typed your password into a potentially compromised boot loader, kernel, or initrd. If your system fails the chkboot integrity test, no assumptions can be made about the security of your data.
Referring to an article from the ct-magazine (Issue 3/12, page 146, 01.16.2012, [3]) the following script checks files under /boot for changes of SHA-1 hash, inode, and occupied blocks on the hard drive. It also checks the Master Boot Record. The script cannot prevent certain type of attacks, but a lot are made harder. No configuration of the script itself is stored in unencrypted /boot. With a locked/powered-off encrypted system, this makes it harder for some attackers because it is not apparent that an automatic checksum comparison of the partition is done upon boot. However, an attacker who anticipates these precautions can manipulate the firmware to run his own code on top of your kernel and intercept file system access, e.g. to boot, and present the untampered files. Generally, no security measures below the level of the firmware are able to guarantee trust and tamper evidence.
The script with installation instructions is available (Author: Juergen Schmidt, ju at heisec.de; License: GPLv2). There is also package chkbootAUR to install.
After installation add a service file (the package includes one based on the following) and enable it:
[Unit]
Description=Check that boot is what we want
Requires=basic.target
After=basic.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/chkboot.sh

[Install]
WantedBy=multi-user.target
There is a small caveat for systemd. At the time of writing, the original chkboot.sh script provided contains an empty space at the beginning of #!/bin/bash which has to be removed for the service to start successfully.
As /usr/local/bin/chkboot_user.sh needs to be executed right after login, you need to add it to the autostart (e.g. under KDE -> System Settings -> Startup and Shutdown -> Autostart; GNOME 3: gnome-session-properties).
With Arch Linux, changes to /boot are pretty frequent, for example by new kernels rolling-in. Therefore it may be helpful to use the scripts with every full system update. One way to do so:
#!/bin/bash
#
# Note: Insert your   and execute it with sudo for pacman & chkboot to work automagically
#
echo "Pacman update [1] Quickcheck before updating" & 
sudo -u  /usr/local/bin/chkboot_user.sh  # insert your logged on  
/usr/local/bin/chkboot.sh
sync       # sync disks with any results 
sudo -u  /usr/local/bin/chkboot_user.sh  # insert your logged on  
echo "Pacman update [2] Syncing repos for pacman" 
pacman -Syu
/usr/local/bin/chkboot.sh
sync 
sudo -u  /usr/local/bin/chkboot_user.sh  # insert your logged on 
echo "Pacman update [3] All done, let us roll on ..."

mkinitcpio-chkcryptoboot

Warning: This hook does not encrypt GRUB's core (MBR) code or EFI stub, nor does it protect against situations where an attacker is able to modify the behaviour of the bootloader to compromise the kernel and/or initramfs at run-time.
mkinitcpio-chkcryptobootAUR is a mkinitcpio hook that performs integrity checks during early-userspace and advises the user not to enter his root partition password if the system appears to have been compromised. Security is achieved through an encrypted boot partition, which is unlocked using GRUB's cryptodisk.mod module, and a root filesystem partition, which is encrypted with a password different from the former. This way, the initramfs and kernel are secured against offline tampering, and the root partition can remain secure even if the /boot partition password is entered on a compromised machine (provided that the chkcryptoboot hook detects the compromise, and is not itself compromised at run-time).
This hook requires grub release >=2.00 to function, and a dedicated, LUKS encrypted /boot partition with its own password in order to be secure.

Installation

Install mkinitcpio-chkcryptobootAUR and edit /etc/default/chkcryptoboot.conf. If you want the ability of detecting if your boot partition was bypassed, edit the CMDLINE_NAME and CMDLINE_VALUE variables, with values known only to you. You can follow the advice of using two hashes as is suggested right after the installation. Also, be sure to make the appropriate changes to the kernel command line in /etc/default/grub. Edit the HOOKS= line in /etc/mkinitcpio.conf, and insert the chkcryptoboot hook before encrypt. When finished, rebuild the initramfs.

No comments: