Re: full drive encryption - check /boot for manipulation

To: Michael Heide <michael.heide@student.uni-siegen.de>
Cc: debian-security@lists.debian.org
Subject: Re: full drive encryption - check /boot for manipulation
From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 18 Oct 2007 23:09:21 +0200
Message-id: <[🔎] 87fy08870e.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20071018215145.160d45e9.michael.heide@student.uni-siegen.de> (Michael Heide's message of "Thu, 18 Oct 2007 21:51:45 +0200")
References: <[🔎] 20071018215145.160d45e9.michael.heide@student.uni-siegen.de>

* Michael Heide:

> It simply checks the md5sum of all files in /boot and if there are new
> or vanished files.  It has to be run after every kernel update,
> needless to say.

This doesn't help much against manipulation of /boot.  You need some
kind of trusted boot environment, as provided by one of the original
TPM/TCPA proposals.

Reply to:

References:
- full drive encryption - check /boot for manipulation
  - From: Michael Heide <michael.heide@student.uni-siegen.de>

Prev by Date: full drive encryption - check /boot for manipulation
Next by Date: Re: full drive encryption - check /boot for manipulation
Previous by thread: full drive encryption - check /boot for manipulation
Next by thread: Re: full drive encryption - check /boot for manipulation
Index(es):
- Date
- Thread