Hi, I recently installed debian etch with the full-drive encryption option the installer offers. Now everything but the boot partition is encrypted. I was concerned about the fact, that there is one simple way to circumvent the hole encryption system if someone has physical access to the pc: to simply replace the kernel or initrd at the boot partition to include some trojan horses, or something else... I do not know of anything in a standard debian installation, which monitors this, so I've writen some little scripts for this purpose :-) It's more or less an idea / proof of concept for now, there are no checks in it. For example if /boot has to be mounted before updating etc... nor it's immune against manipulation for its own, e.g. the modified initrd can simply update the bootmd5 database by its own ;-) ... It simply checks the md5sum of all files in /boot and if there are new or vanished files. It has to be run after every kernel update, needless to say. No, I know I'm not a security expert. So please tell me, If I'm completely wrong :-). For any answer to this list, please CC me, I'm not a list member (for now). Sincerely Michael Heide
Attachment:
checkboot.tar.gz
Description: Binary data