Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
(almost) full disk encryption, cgdroot and firmware
This is my story on (almost) full disk encryption.
I followed Pierre Proncher's instruction from Mar 2013. To my
surprise, it worked on the first boot. However, networking didn't
work because the kernel couldn't load iwm firmware.
After a couple of attempts to fix firmware loading, I gave up on
cgdroot ramdisk and switched to a fake root on wd0a. It's similar
to cgdroot but with modules and firmware files. I hard-linked few
binaries including init from /rescue.
My setup has not one but two cgd devices: cgd0 for a real root and
cgd1 for other partitions. cgd0's key is stored on unencrypted
wd0a, cgd1's key is stored on the real root cgd0a. I have to enter
two passwords instead of one but this setup gives me some protection
from an unsophisticated keylogger. Since wd0a is read-only, I can
add wd0a integrity check before running the second cgdconfig -C
command and abort before entering the second password if the check
fails. A real rootkit can easily fool the integrity checker, though.
Alex
Home |
Main Index |
Thread Index |
Old Index