EFI GELI support ready for testers
Eric McCorkle
eric at metricspace.net
Sat May 28 13:37:32 UTC 2016
Full-disk encryption is a powerful security feature, and one which is available in one form or another in every major competing OS. It is a requirement for data protection in many organizations, and something that many individuals desire to help protect their data.
In EFI, there is an EFI System Partition (ESP) which is expected to be formatted with msdosfs. This contains the boot1 program. This must be unencrypted in order for EFI to be able to read it (unless you do something fancy with coreboot or whatever). That is the only thing that needs to live on the ESP, and the only thing that needs to be stored as plaintext. The rest of the system past that point can reside on encrypted partitions. Without support for GELI in the boot1/loader code, you have to keep part of the system unencrypted.
Making it so that only boot1 has to be stored as plaintext dramatically reduces the attack surface. It can also be combined with EFI secure boot to create a powerful tamper-resistance scheme, wherein a per-machine private key is stored on the encrypted disk and used to sign boot1. This prevents an attacker from modifying boot1, as they would need the signing key to do that, but they can't get it without decrypting the disk.
I'll also mention that my changes actually delete quite a bit of code and remove the boot1-specific filesystem backends, so that boot1 and loader now use the same filesystem and backend code.
> On May 28, 2016, at 04:36, Konstantin Belousov <kostikbel at gmail.com> wrote:
>
>> On Fri, May 27, 2016 at 07:39:57PM -0400, Eric McCorkle wrote:
>> I am pleased to announce that my work to add support for GELI in the EFI boot loader (as well as perform more general refactoring) is now ready for testing. I am able to successfully detect multiple GELI partitions in boot1 and pass the keys into the kernel.
>
> Can somebody explain in which way this is useful ?
> Same question for the GELI code for non-EFI loader.
>
> BIOS cannot read raw data from the encrypted partition, so you need
> either old boot or the loader and some additional data on EFI boot
> partition anyway.
>
> Features adds significant amount of code, which must be maintained in
> parallel with the kernel code.
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list