chkboot
Referring to an article from the ct-magazine (Issue 3/12, page 146, 01.16.2012, [3]) the following script checks files under
/boot
for changes of SHA-1 hash, inode, and occupied blocks on the hard drive. It also checks the Master Boot Record. The script cannot prevent certain type of attacks, but a lot are made harder. No configuration of the script itself is stored in unencrypted /boot
. With a locked/powered-off encrypted system, this makes it harder for some attackers because it is not apparent that an automatic checksum comparison of the partition is done upon boot. However, an attacker who anticipates these precautions can manipulate the firmware to run his own code on top of your kernel and intercept file system access, e.g. to boot
, and present the untampered files. Generally, no security measures below the level of the firmware are able to guarantee trust and tamper evidence.
The script with installation instructions is available (Author: Juergen Schmidt, ju at heisec.de; License: GPLv2). There is also package chkbootAUR to install.
After installation add a service file (the package includes one based on the following) and enable it:
[Unit]
Description=Check that boot is what we want
Requires=basic.target
After=basic.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/chkboot.sh
[Install]
WantedBy=multi-user.target
There is a small caveat for systemd. At the time of writing, the original
chkboot.sh
script provided contains an empty space at the beginning of #!/bin/bash
which has to be removed for the service to start successfully.
As
/usr/local/bin/chkboot_user.sh
needs to be executed right after login, you need to add it to the autostart (e.g. under KDE -> System Settings -> Startup and Shutdown -> Autostart; GNOME 3: gnome-session-properties).
With Arch Linux, changes to
/boot
are pretty frequent, for example by new kernels rolling-in. Therefore it may be helpful to use the scripts with every full system update. One way to do so:#!/bin/bash
#
# Note: Insert your and execute it with sudo for pacman & chkboot to work automagically
#
echo "Pacman update [1] Quickcheck before updating" &
sudo -u /usr/local/bin/chkboot_user.sh # insert your logged on
/usr/local/bin/chkboot.sh
sync # sync disks with any results
sudo -u /usr/local/bin/chkboot_user.sh # insert your logged on
echo "Pacman update [2] Syncing repos for pacman"
pacman -Syu
/usr/local/bin/chkboot.sh
sync
sudo -u /usr/local/bin/chkboot_user.sh # insert your logged on
echo "Pacman update [3] All done, let us roll on ..."
mkinitcpio-chkcryptoboot
mkinitcpio-chkcryptobootAUR is a mkinitcpio hook that performs integrity checks during early-userspace and advises the user not to enter his root partition password if the system appears to have been compromised. Security is achieved through an encrypted boot partition, which is unlocked using GRUB's
cryptodisk.mod
module, and a root filesystem partition, which is encrypted with a password different from the former. This way, the initramfs and kernel are secured against offline tampering, and the root partition can remain secure even if the /boot
partition password is entered on a compromised machine (provided that the chkcryptoboot hook detects the compromise, and is not itself compromised at run-time).
This hook requires grub release >=2.00 to function, and a dedicated, LUKS encrypted
/boot
partition with its own password in order to be secure.Installation
Install mkinitcpio-chkcryptobootAUR and edit
/etc/default/chkcryptoboot.conf
. If you want the ability of detecting if your boot partition was bypassed, edit the CMDLINE_NAME
and CMDLINE_VALUE
variables, with values known only to you. You can follow the advice of using two hashes as is suggested right after the installation. Also, be sure to make the appropriate changes to the kernel command line in /etc/default/grub
. Edit the HOOKS=
line in /etc/mkinitcpio.conf
, and insert the chkcryptoboot
hook before encrypt
. When finished, rebuild the initramfs.
No comments:
Post a Comment