(almost) full disk encryption, cgdroot and firmware

To: current-users%netbsd.org@localhost
Subject: (almost) full disk encryption, cgdroot and firmware
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Mon, 20 Jun 2016 20:15:00 +0100

This is my story on (almost) full disk encryption.

I followed Pierre Proncher's instruction from Mar 2013. To my
surprise, it worked on the first boot. However, networking didn't
work because the kernel couldn't load iwm firmware.

After a couple of attempts to fix firmware loading, I gave up on
cgdroot ramdisk and switched to a fake root on wd0a. It's similar
to cgdroot but with modules and firmware files. I hard-linked few
binaries including init from /rescue.

My setup has not one but two cgd devices: cgd0 for a real root and
cgd1 for other partitions. cgd0's key is stored on unencrypted
wd0a, cgd1's key is stored on the real root cgd0a. I have to enter
two passwords instead of one but this setup gives me some protection
from an unsophisticated keylogger. Since wd0a is read-only, I can
add wd0a integrity check before running the second cgdconfig -C
command and abort before entering the second password if the check
fails. A real rootkit can easily fool the integrity checker, though.

Alex

Follow-Ups:
- Re: (almost) full disk encryption, cgdroot and firmware
  - From: Pierre Pronchery
- Re: (almost) full disk encryption, cgdroot and firmware
  - From: Brad Spencer
- Re: (almost) full disk encryption, cgdroot and firmware
  - From: Tobias Nygren

Prev by Date: Re: another crash
Next by Date: Re: (almost) full disk encryption, cgdroot and firmware
Previous by Thread: another crash
Next by Thread: Re: (almost) full disk encryption, cgdroot and firmware
Indexes:

Home | Main Index | Thread Index | Old Index