[tenebrisalietum]

So what about this:

- Copy GRUB, bootlines for your system, your kernel and initrd to a WORM media like a bootable CD-ROM.

- Boot using CD-ROM.

- When boot completes, remove the CD-ROM.

Now you can't attack my boot kernel or boot process because I've just physically separated it from the system and taken it with me. Even if it was there, the media is read only so you can't modify it.

If I need to upgrade, I need to burn a new CD. CDs are cheap.

Using actual CDs would be impractical for many users, but a parallel could be implemented on a system with micro-SD card readers supporting removeable media and a physical read/write or connection switch. Which, if we're talking about physical switches for camera and mic, why not boot files?

[jaclaz]

Hmmm.

This implies that you have set your boot order to CD-ROM first, so anyone can - say - boot their own system on your machine from CD and either access your data or make a dd-copy of your disk and look at it later.

You need also to password protect your BIOS so that first device in boot order is hard disk and settings cannot be changed (without BIOS password).

Depending on the BIOS this change in booting order could be possible at boot time (providing the password) or a reboot would be needed.

[Avamander]

> You need also to password protect your BIOS so that first device in boot order is hard disk and settings cannot be changed (without BIOS password).

You also have to make sure your BIOS can't be reset by removing the battery, doesn't have some administrative bypass or even a reset jumper. I've even seen a BIOS that reset to default boot settings when you remove all disks - and then gleefully boots from any attached USB disk.

[jaclaz]

Yes, and additionally we will also need a machanically safe case, as - even if the boot order is set to hard disk, it is not modifiable (without password) and the BIOS resists removing power and battery, noone would prevent you to detach the hard disk and either replace it with your own or more simply steal the hard disk and have a look at its data without hurries.

Security is tough.

[xondono]

I’m guessing this setup makes sense with encrypted disk, that way, since decryption keys are on the CD, you can’t access the files without it.

[tenebrisalietum]

Well the way it works in Linux is a user-space program in the initrd (which is the initial rootfs) will ask for password to unlock LUKS-encrypted rootfs, and then the initrd will mount the real rootfs at that point.

Since I have a physical trusted copy of that initrd with the kernel and bootloader that is safe.

DD-ing the whole drive is something I assumed Secure Boot doesn't protect as someone could remove the drive and do the same. Even if the drive, eMMC or flash is soldered to the board there's some way to get to it (desolder, JTAG pins, etc.)

[Endlessly]

My understanding is MicroSD “hardware” switch triggers a software based switch that not enforced by the hardware; that is, it is not designed security.

Even a “read only” CD-ROM if not verified on boot for tampering — might contain an attack, including: to just disable the disk from booting, among other things.

[rmrfstar]

This actually sounds like good actionable advice for a semi-technical person like a journalist.

Still leaves you vulnerable to bios compromise (e.g. get some malware running in SMM before your kernel), but that can be addressed by soldering the bios WP pin low and dropping some epoxy over the laptop case screws.

Edit: There are some SPI chips that have a write protect fuse that you can blow, leaving your bios in a known-good state. [1] pdf page 7.

[1] https://cloud.3mdeb.com/index.php/s/PBfAzZZQYcj3xbs