Decoupling Boot Partitions from Operating Systems

Discussions on more advanced topics such as monolithic vs micro-kernels, transactional memory models, and paging vs segmentation should go here. Use this forum to expand and improve the wiki!
Post Reply
human00731582
Member
Member
Posts: 38
Joined: Wed Jul 19, 2017 9:46 pm

Decoupling Boot Partitions from Operating Systems

Post by human00731582 »

Hello, fellow enthusiasts!

I have been working on a UEFI application in which a user can select a file/payload to boot.
The trick is that each of these payloads is encrypted with a password that the user must provide at boot time.

The purpose of this work is to FULLY encrypt a system and provide tamper resistance, from start to finish.

When the boot payload is loaded into RAM and the ramdisk is decrypted, control passes to its inner boot EXE (namely, EFI/BOOT/BOOTX64.EFI for x86_64, but this is customizable).

I've tested this on my Linux laptop: I bundled the boot partitions into an image file (partitioned with gdisk), swapped some label references around in GRUB, hooked up fstab, encrypted the image, stored the file on the root directory of my USB, and destroyed the boot partitions on my hard drive (after a backup, of course).

Now my laptop can boot from the dynamically decrypted-and-loaded image! Hooray, I reclaimed ~1GiB. :D
Of course the next step is to test with my LUKS partitions.

To update the kernel, GRUB parameters, initial ramdisk, etc. I just need to install everything to the ephemeral system (i.e., ramdisk) and repackage the data into an updated boot payload.

I wanted to start a discussion about this concept of having a decoupled/offloaded boot partition that is encrypted...
  • Is this already a thing somewhere else? It must exist already, so who has done this? Examples will be helpful to hone the system.
  • Would such a mechanism, if it uses hash-based/HMAC verification of the loader from inside the loaded operating system, provide resistance to Evil Maid attacks?
  • I've built this to be a universal mechanism: there are several ways for a host to 'know' how to find the ramdisk. And I would of course love having any volunteers who want to test with their OSs!
So...... What are the drawbacks of doing this and what is its feasibility?
Obviously this is a tedious process built for people who really value their privacy and boot integrity, and it's not for the average Linux user.

A few I can think of:
  • The boot password is required every single time.
  • A lost flash drive or boot medium means you're pretty screwed. Unless you rebuild the image and verify the proper HMAC your OS expects to see is present.
  • A slight delay in startup time (but pretty negligible).
  • Annoying updates for rolling distros.

Thanks, all!
-human
2024-05-07: Returning from a 7-year disappearing act; please be kind.
Octocontrabass
Member
Member
Posts: 5568
Joined: Mon Mar 25, 2013 7:01 pm

Re: Decoupling Boot Partitions from Operating Systems

Post by Octocontrabass »

human00731582 wrote: Wed Aug 07, 2024 1:49 pmThe purpose of this work is to FULLY encrypt a system and provide tamper resistance, from start to finish.
You don't need to encrypt the boot partition to provide tamper resistance, Secure Boot and Measured Boot do a good enough job already.
Post Reply