From owner-freebsd-hackers@freebsd.org Sun Mar 20 19:25:26 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E222AD7F4E for ; Sun, 20 Mar 2016 19:25:26 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (207-172-209-83.c3-0.arl-ubr1.sbo-arl.ma.static.cable.rcn.com [207.172.209.83]) by mx1.freebsd.org (Postfix) with ESMTP id 4C73919D9; Sun, 20 Mar 2016 19:25:25 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:8fe:6a13:797b:e9c9] (unknown [IPv6:2001:470:1f11:617:8fe:6a13:797b:e9c9]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 6A6AE13DE; Sun, 20 Mar 2016 19:25:24 +0000 (UTC) References: <8F22A0E2-45A3-463B-8CAC-16BEC8DA8883@metricspace.net> <56EEEF5B.4010605@freebsd.org> Mime-Version: 1.0 (1.0) In-Reply-To: <56EEEF5B.4010605@freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: Cc: freebsd-hackers@freebsd.org X-Mailer: iPad Mail (13D15) From: Eric McCorkle Subject: Re: boot1-compatible GELI and GPT code? Date: Sun, 20 Mar 2016 15:25:23 -0400 To: Allan Jude X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Mar 2016 19:25:26 -0000 On Mar 20, 2016, at 14:43, Allan Jude wrote: >=20 > I presented a paper on my work in this area (booting from a GELI > encrypted partition, it does not GELI encrypt the GPT table) at > AsiaBSDCon last weekend, and committed it this week. >=20 > Here is the paper: http://allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf >=20 > The commit was: r296963 https://svnweb.freebsd.org/changeset/base/296963 Thanks, I'll check it out. > I am interested in applying this work to UEFI as well. I've got a branch going on my github. I've pushed some initial code that ad= ds "provider modules" to boot, which basically consume a device and produce m= ore devices. I haven't actually written any provider modules yet though. https://github.com/emc2/freebsd/tree/geli_efi > Is there much advantage to encrypted the GPT table as well? Currently my > setup leaves the partition table, and the code up to boot2 unencrypted. > Only encrypting the actual OS partition (/boot/{zfs,}loader, > /boot/kernel, etc). Swap is encrypted separately with a unique > throw-away key per reboot. Generally speaking, the less knowledge an attacker has, the better. If they= know the filesystems types (obtainable from the GPT), then they know the lo= cations of the superblocks and likely can guess at least some of the content= s. They also may be able to glean information from which sectors changed of= they can observe the disk multiple times over time. By contrast, if all th= ey have is a big encrypted block, it's harder to infer anything about what's= inside.=