GitXplorerGitXplorer
M

boot-rs

public
45 stars
1 forks
0 issues

Commits

List of commits on branch main.
Verified
7d408aa56e92b708a69a967ae4f9466ca3afbdad

Don't mount home on boot let fstab take care of it,

MMarcusGrass committed 5 months ago
Verified
f484337920afd5f3c6543cc6015b90c5b86d47cf

Update boot script

MMarcusGrass committed 7 months ago
Verified
816974b89a6a282a69502de910a407018682745d

Add boot script

MMarcusGrass committed 7 months ago
Verified
10170d734d7e46bfb02387b7ddfc6c730f4a34e6

Update deps

MMarcusGrass committed 7 months ago
Verified
949f831d0351938e72a7b1b65301fc337e36270a

Make initramfs binary and generation smoother

MMarcusGrass committed a year ago
Verified
4e1bfb2618b72500761eed5f1e51eaadeeb71a0b

Merge pull request #3 from MarcusGrass/bump-deps

MMarcusGrass committed a year ago

README

The README file for this repository.

Boot-rs

A collection of tools to create an ergonomic and secure encrypted boot-process.

Considerations

How do you make sure that when your kernel boots that it hasn't been compromised?

An answer to that question could be to have it encrypted, if the bootloader can encrypt and then launch into it, then it hasn't been compromised. As long as the kernel that boots is actually your kernel, and not a replacement.

That brings the question to whether the bootloader can be trusted, it can't.
You can use secure-boot to make sure that it's indeed your bootloaded that runs.
Another solution is to embed your disk-decryption keys in the initramfs of your encrypted kernel.
This way you know it's indeed your kernel that is running, since it knows how to decrypt your disks.
Something that's problematic about that is that a malicious bootloader could for example record your decryption key, use it to decrypt your kernel, get your disk decryption keys from the initramfs, launch a malicious kernel, and decrypt your disks with the stolen keys. So secure boot is likely the best way to go.

Functionality

This project's overall functionality.

Boot-pre-os

This project contains a bootloader which can decrypt the kernel after generating configuration using the cli boot-strap which is compiled into the bootloader.
The bootloader can then be signed, again using boot-strap, if that certificate is added, and secure boot enabled. The very early boot process should be safe.

Os-boot

The bootloader decrypts the kernel and launches the image.
The initramfs, which can be generated by boot-strap, then takes over and decrypts your disks using the keys saved in the initramfs.
The initramfs is loaded into ram by the kernel, and removed after the early-os-boot process, when control is handed over to /sbin/init. After load and before removal, the keys reside in RAM and are vulnerable to low-level attacks.

Setup

There are a few steps required to set up boot-rs.

Generate initramfs

The initramfs can be generated by boot-strap initramfs -i initramfs.cfg -d initramfs.
This will generate an initramfs directory with the appropriate files to unlock a cryptodisk.

Test by running cryptsetup luksOpen --key-file initramfs/crypt.key --test-passphrase <cryptodisk>.

To get initramfs-rs as the init executable, compile it by ./build_init -r then copy it to the initramfs directory as init. Ex: cp target/release/initramfs-rs /root/initramfs/init.

Build kernel

Build the kernel as usual, but with modules built-in, and with the above generated initramfs built in.

Encrypt kernel

The kernel can then be encrypted using ex: boot-strap boot -i /usr/src/linux/arch/x86/boot/bzImage -k /boot/EFI/gentoo/gentoo-6.1.19.enc -c boot.cfg -d "HD(1,GPT,f0054eea-adf8-4956-958f-12e353cac4c8,0x800,0x100000)" -p /EFI/gentoo/gentoo-6.1.19.enc.
This will move the encrypted kernel into /boot/EFI/gentoo/gentoo-6.1.19.enc.

Build bootloader

Encrypting the kernel generates a configuration file.
Build boot-rs with that file included:

./build-boot --profile lto

Sign the bootloader

Sign the bootloader using any preferred method, and/or copy it directly onto the boot disk ex: cp target/x86_64-unknown-uefi/lto/boot-rs.efi /boot/EFI/boot-rs.efi.

Add a boot entry if one does not already exist

efibootmgr -c -L "Boot-rs" -l "\EFI\boot-rs.efi" -d /dev/sda1