[dcomp]

You have a disk encrypted laptop. That key is protected by a password.

Secure boot means that when you log in you can trust that the disk decryption screen is not a disk encryption key exfiltration screen waiting for you to enter your password so that a disk backup taken earlier can be decrypted.

How?

The disk encryption is based on a key in the TPM which only is decrypted with your password. That TPM gets wiped when you disable secure boot. The result is that when you enter your password either you get a correct decryption key or your disk encryption key has already been wiped. Assuming it's not possible to run untrusted code before the disk encryption key login screen with secure boot enabled.

kernel lockdown is part of the parcel for making sure that untrusted code does not run that can exfiltrate the disk decryption key.

[josephcsible]

That doesn't actually protect against that attack, though. The evil maid just steals the guts of your computer and replaces them with ones that always say "sorry, wrong password", while exfiltrating the password you tried over Wi-Fi or Bluetooth. Then they use your password to decrypt your unmodified hard drive with your unmodified TPM on your unmodified motherboard.

Also, I don't think this is true:

> That TPM gets wiped when you disable secure boot.

Won't the TPM not be able to decrypt anything while Secure Boot is disabled, since the PCRs will be different, but then it will work again if you later re-enable it? I don't think it actually wipes itself. And even if it did, couldn't you just unplug the TPM, disable Secure Boot, steal the password, re-enable it, and then plug the TPM back in? Then even if it did want to wipe itself, it wouldn't know to.

[kmeisthax]

There's one flaw in your scenario: if your computer suddenly stopped respecting valid credentials, it'd be extremely obvious that the motherboard had been replaced or tampered with.

Generally speaking most evil-maid attacks assume that the attacker wants to remain covert, otherwise the victim will start revoking stolen credentials, calling the authorities, etc. If you don't care about remaining covert then you don't need to do an evil-maid attack; just buy a wrench.

[josephcsible]

The evil maid could use the credentials within seconds of you typing them in, so you wouldn't have time to revoke anything. With rubber-hose attacks, you might give the attacker a duress code rather than the real password, which wouldn't happen with this one. And let's face it: it's probably nation-states that would do this kind of attack, so calling the authorities wouldn't be helpful anyway.

[dcomp]

In a high security situation. It would not be a password, but a smartcard which authenticates the device before providing its key, and the device authenticating the smartcard.

Edit: For the purposes of the Networked Evil Maid Attacks. Mutual Authentication (of device and user) is currently the purpose of research. It has not needed to be implemented yet as the regular Evil Maid is still possible due to the fact that Secure Boot is currently the easier target to circumvent. Once Secure Boot becomes harder to circumvent and old "assumed" buggy kernels are revoked from running. Networked Evil Maid counter measures will need to be implemented as standard

[05]

And you can still proxy that smart card over WiFi/LTE and boot the stolen internals at least once :)

[josephcsible]

Does anything actually support this, or is it purely hypothetical? And even if that did exist, wouldn't that mean that password stealing wouldn't be an issue even without Secure Boot?

[DHowett]

There are machines that keep track of chassis intrusion and measure it into a PCR, making the hardware replacement part of the attack less feasible; I’ll grant that your “evil maid” could also pass off a completely separate device as being yours, though.

FYI: The tone of your original question suggests that you might have prepared responses to any answers you might receive about secure boot and kernel lockdown. If that’s the case, maybe a comment tree isn’t the correct forum for having a discussion about it because of the inherent information inequity.