Re: [Libreboot] Password protected Grub entries

[The Gluglug]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 20/05/15 19:04, Beni wrote:
> 
>> 
>> Exactly. That is why I recommended against using --unrestricted.
>> They can replace your HDD, but the chances of them being able to
>> replicate a correct GPG signature is very hard.
> 
> Ah, ok. But there are still two things I don't don't yet fully
> understand.
> 
> 1. What I don't understand yet is how you'd get a hard drive to
> accept the exact same passphrase I use to unlock my hard drive. If
> you don't achieve this I'll notice that you replaced the drive the
> second I put in my passphrase and it fails to decrypt the drive.
> 
> 2. What could you achieve by replacing the hard drive? My data is
> on the original hard drive. If you replace the drive, you get
> basically a new device containing no valuable information.
> 
> Regards,
> 
> Beni


I'm talking about protecting the system from being modified in any
way, outside of the OS. For instance, by booting another HDD you might
be able to re-flash, with firmware that logs keys and stores them for
later retrieval. You would not leave your HDD in, you'd put the old
one back.

Having a password in GRUB (payload) protects against this, making
external flashing necessary.

Of course, there are also ways to write-protect the flash so that you
always have to flash externally, but there are other things that
someone can do.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVYa3SAAoJEP9Ft0z50c+UxkMIALgcn68oqyJ6/38MUYZMaD0L
aJABRx776wBpfO9lE8AWcXsVX4HvFCopC75G7W0Td7CmmG90KPXjXb/kjbo8zqZb
X8Cly3okkNBp+tKUxKavRfqu0d6e9EfxD5ZNT9Upb6QuT/teHDJq/MwBttiwRXdT
5/9QrPOyx7x4kCq0AV1aSeF1sEPmJMv7K1+uhzfBtP6kkccTw1j8wYmQSeqWmsJR
Mg5zgpripes4qsJrLqZb9HO2kurF0yamWIp21A8Lah9mPkUa+5/W3ufbtgckFXVU
X5NIbl5pk4np8IoMKcX1tC8zR1LJ6II/Ah5nyKKxFfupV4gsIZlx24TngKn1MSk=
=sO2N
-----END PGP SIGNATURE-----