Hacker News new | ask | show | jobs
by jaclaz 2235 days ago
Hmmm.

This implies that you have set your boot order to CD-ROM first, so anyone can - say - boot their own system on your machine from CD and either access your data or make a dd-copy of your disk and look at it later.

You need also to password protect your BIOS so that first device in boot order is hard disk and settings cannot be changed (without BIOS password).

Depending on the BIOS this change in booting order could be possible at boot time (providing the password) or a reboot would be needed.
2 comments
Avamander 2235 days ago
> You need also to password protect your BIOS so that first device in boot order is hard disk and settings cannot be changed (without BIOS password).

You also have to make sure your BIOS can't be reset by removing the battery, doesn't have some administrative bypass or even a reset jumper. I've even seen a BIOS that reset to default boot settings when you remove all disks - and then gleefully boots from any attached USB disk.

link
jaclaz 2235 days ago
Yes, and additionally we will also need a machanically safe case, as - even if the boot order is set to hard disk, it is not modifiable (without password) and the BIOS resists removing power and battery, noone would prevent you to detach the hard disk and either replace it with your own or more simply steal the hard disk and have a look at its data without hurries.

Security is tough.

link
xondono 2234 days ago
I’m guessing this setup makes sense with encrypted disk, that way, since decryption keys are on the CD, you can’t access the files without it.
link
tenebrisalietum 2234 days ago
Well the way it works in Linux is a user-space program in the initrd (which is the initial rootfs) will ask for password to unlock LUKS-encrypted rootfs, and then the initrd will mount the real rootfs at that point.

Since I have a physical trusted copy of that initrd with the kernel and bootloader that is safe.

DD-ing the whole drive is something I assumed Secure Boot doesn't protect as someone could remove the drive and do the same. Even if the drive, eMMC or flash is soldered to the board there's some way to get to it (desolder, JTAG pins, etc.)

link