/g/ - Technology

install openbsd

[Make a Post]
[X]





Read only bootloader, encryption Nanonymous No.7128 [D][U][F][S][L][A][C] >>7136 >>7218
File: 7347041c55dbbf16d80d6764b873cfa3d426fa1566ac370a596a38aee152f2fc.png (dl) (1.33 KiB)
what is the point of Full Disk Encryption if your bootloader is not encrypted and can be modified to send or save your password in plaintext?
how to achieve read-only bootloader?
also, your bios or uefi can just read the keys you type when entering a password

Nanonymous No.7129 [D][U][F] >>7133
File: 948a440cecd05f469fc34eb422ecb309dee6640e6c4b4ac3db1d719a646e2255.jpg (dl) (162.01 KiB)
the point is not to protect you against your own hardware. that is impossible. the point is to protect your data in the event that your disk is stolen from your computer, or if your whole computer is stolen. this is the most common situation in e.g. criminal theft, or fbi raids of your house.

Nanonymous No.7133 [D] >>7139
>>7129
>the point is not to protect you against your own hardware. that is impossible.
it has to be possible

>the point is to protect your data in the event that your disk is stolen from your computer, or if your whole computer is stolen.
what if they first modify your bootloader with UEFI, malware, HDD firmware, to make it store password in unencrypted way?

>this is the most common situation in e.g. criminal theft, or fbi raids of your house.
what if fbi enters your home quietly when you are at workplace, modify your bootloader, wait for it to read password and store in plaintext, then raid your house

Nanonymous No.7134 [D] >>7142 >>7157 >>7218
https://github.com/osresearch/heads
>your bios or uefi can just read the keys
That's not how the bios or uefi works.

Nanonymous No.7136 [D] >>7139 >>7142
>>7128
>your bios or uefi can just read the keys you type when entering a password

Use Libreboot or Coreboot.

Nanonymous No.7139 [D][U][F] >>7140 >>7142 >>7218
File: dce9788c7168be1fc6da30c61d42045e268e9fa5cee6ab09d2b72ef5572b83bb.jpg (dl) (54.56 KiB)
>>7133
physical insecurities cannot be overcome by software.
>>7136
>muh trannyboot that doesn't even support wifi
ok freetard

Nanonymous No.7140 [D] >>7141 >>7218
>>7139

>I don't like the dev so the software is shit


This chan is literally freetard ideals incarnate.

There's plenty of wifi cards that work with libreboot and coreboot, according to the amount of systems that are supported.

And if you are worried your bios might look into your shit, not replacing the bios would be retardation of the highest degree.


Nanonymous No.7141 [D][U][F]
File: 44507fdc9e087f52ca6534280bf51998ffae93e1a8a61fd0d2754ab32d8a7493.jpg (dl) (167.48 KiB)
>>7140
>reddit spacing

Nanonymous No.7142 [D] >>7163 >>7166
>>7134
>That's not how the bios or uefi works.
that's exactly how bios and uefi works. uefi is fully backdoored and runs keyloggers 24/7, has network access, it records when you type password and sends it to Israel

>>7136
>Use Libreboot or Coreboot.
how do you use it if it doesn't support any hardware and motherboards?
also, what if someone replaces your libreboot/coreboot to modified version, that contains backdoors and keyloggers?

>>7139
>physical insecurities cannot be overcome by software.
then lets overcome them in another way

>muh trannyboot that doesn't even support wifi
how can it not support wifi? wifi is a pci/usb device like any device. or do you mean that it doesn't replace wifi firmware with free one?

>There's plenty of wifi cards that work with libreboot and coreboot, according to the amount of systems that are supported.
if they support PCI and USB, shouldn't they support all devices?

>And if you are worried your bios might look into your shit, not replacing the bios would be retardation of the highest degree.
you can't replace bios with coreboot and libreboot, they don't support any hardware

Nanonymous No.7143 [D] >>7157 >>7173
Put your bootloader on a flash memory and shove it in your ass

Nanonymous No.7147 [D][U][F] >>7173
File: f89cdaadcacc2ad82b52ee50c20380ebda26fa19411f72d215105cae3f86d9a5.png (dl) (257.05 KiB)
If you're concerned about THAT, you are better off just stopping to use that consumer hardware, particularly PCs in your case.
Encrypting bootloader would require to store the key/passphrase and crypto libs somewhere before bootloader, i.e. in BIOS/UEFI. Well, USB stick could do as well, but that would have to be unencrypted then.
RO bootloader would require a different bootloader design, aimed at much less flexible systems. Though this flexibility could be handled somewhere else, obviously.
Contemporary bootloaders handle as much as filesystems to load the kernel or ntldr or bootmgr whatever, but now UEFI is a standard to do UEFI-based boot, for example, since it uses fat32 FS uniformly.

Nanonymous No.7150 [D] >>7173
>what is the point of Full Disk Encryption if your bootloader is not encrypted and can be modified to send or save your password in plaintext?
what is the point of encrypting the bootloader if someone can just dd a new visually identical one
>how to achieve read-only bootloader?
Write it into read-only media, CD-R is the cheapest option
>also, your bios or uefi can just read the keys you type when entering a password
>not using front panel switches to boot

Nanonymous No.7157 [D] >>7173 >>7179
>>7143
The only sane reply in this whole thread.

OP: this is called secure boot or trusted boot. The anon >>7134 already mentioned Heads project, which eliminates the need for many boot mechanisms (together with linuxboot). For secure boot, read this:
https://sable.critical.com/

Nanonymous No.7163 [D] >>7173
>>7142
>then lets overcome them in another way
That was his point. Physical insecurities need to be overcome with physical security.

Nanonymous No.7166 [D] >>7173
>>7142
>how do you use it if it doesn't support any hardware and motherboards?
Get hardware that does.
https://libreboot.org/docs/hardware/#list-of-supported-hardware
https://coreboot.org/status/board-status.html

>if they support PCI and USB, shouldn't they support all devices?
On certain Thinkpads and maybe others you have to replace the wifi card with an ATMOS or something.
1,1 and 2,1 Macbooks do not have this issue.
Not sure about the others.
USB is separate I think.

>you can't replace bios with coreboot and libreboot, they don't support any hardware
See above.

Nanonymous No.7173 [D] >>7179 >>7180 >>7186 >>7189
>>7143
>Put your bootloader on a flash memory and shove it in your ass
I would feel safer if that memory was read only. how to make it?

also, what if bios and uefi read keys entered and send them to Tel-Aviv?

>>7147
>If you're concerned about THAT, you are better off just stopping to use that consumer hardware, particularly PCs in your case.
yes, goyim, if you need security then don't use anything, we win with you!

>Encrypting bootloader would require to store the key/passphrase and crypto libs somewhere before bootloader, i.e. in BIOS/UEFI. Well, USB stick could do as well, but that would have to be unencrypted then.
bios/uefi cannot be trusted, they are backdoored from factory and someone can modify them even further

>>7150
>Write it into read-only media, CD-R is the cheapest option
any other options? I would prefer something you can carry with you

>not using front panel switches to boot
?

>>7157
this uses TPM, I don't trust it

>>7163
>That was his point. Physical insecurities need to be overcome with physical security.
then lets do this. post instructions

>>7166
>https://libreboot.org/docs/hardware/#list-of-supported-hardware
only intel laptops with Management Engine and other botnets. no desktops.
if you say it removes ME, there is no proof it removes it fully and enough, also there might be more backdoors than ME in these (((modern))) platforms

>https://coreboot.org/status/board-status.html
mostly shit with ME or PSP. and coreboot requires them to run
almost only (((modern))) hardware supported
PC with prioprietary BIOS but no ME/PSP is safer than PC with coreboot but ME/PSP. ME is a separate processor that has unlimited access to PC. coreboot in PC with ME is just snakeoil

also they don't seem to test Hibernation. does it work? PC without hibernation is useless

Nanonymous No.7177 [D]
SecureBoot is designed to protect DRM. not so much to actually protect the user. It is to verify that the machine was not modified from the factory to the point where DRM software is used, a supply chain verification.

For actual user protection, you'd need firmware checksums on boot that compared against a user entered one to a known good (audited) firmware.

TPM has unique seeds so there is no reason why the manufacturer couldn't keep those in some database to be referenced by certain glowing people to unencrypt everything.

Nanonymous No.7179 [D] >>7192
>>7157
On first glance, sable looks pretty neat. Thanks for the link.

I've coded something based on AntiEvilMaid a few years ago, and I'm pretty happy with it. However, one thing I've noticed is, that the PCRs are not remotely as stable as one would wish for. For example, if you fail to boot once, some PCRs will change due do some changes in the firmware, and the decryption of the secret will fail. If you do not measure those PCRs to achieve stability, at some point you'll not achieve more security, than you would by using the BIOS thingie with the MS-signature. SecureBoot, or what it's called. Which, BTW, is not too bad, because you can exchange the M$ key with your own, and sign your own kernel/bootloader/stuff.

>>7173
Sir, you appear to be as paranoid as you're inapt. You have a shitty situation regarding the trustworthiness of your machine, and you regard all the tools which might improve said shittyness, because they're not good enough for you. What do you expect to achieve on your own, without those imperfect tools? Nothing, I'd assume, but bitching around. Please stop using a computer.

Nanonymous No.7180 [D] >>7232
>>7173
>no desktops.
False, try using Ctrl-F, literally on the top of the Libreboot page where it is linked it says "Desktops.

>muh intel
>me-cleaner isn't good enough
Then get a Talos II or something.

Nanonymous No.7186 [D] >>7190 >>7232
>>7173
>any other options? I would prefer something you can carry with you
I see no problem on carrying a CD-R, are you trying to fit it on your pocket? I'm sure that your boot partition doesn't exceed the size of a CD, therefore you could chop off the external area of it that doesn't look like being written, should be more efficient with a DVD-R

Nanonymous No.7189 [D][U][F]
File: 563057e2b4bce36b43b281a6fc4d0482d6a2c747ca4630fb310134aa328496ee.png (dl) (27.02 KiB)
>>7173
>Write it into read-only media, CD-R is the cheapest option
"any other options? I would prefer something you can carry with you"

Look for a USB with a hardware lock. Something like this:
http://isostick.com/

Nanonymous No.7190 [D] >>7191
>>7186
There are also those mini-CDs or the weird ones that are about the size of a business card.

Nanonymous No.7191 [D] >>7195
>>7190
And CF cards can be write protected

Nanonymous No.7192 [D]
>>7179
>coded something based on AntiEvilMaid
Based. I know I've found the real /tech/ board now.

Nanonymous No.7194 [D]
You could use a mini-disc, GameCube style.

Nanonymous No.7195 [D] >>7202
>>7191
Those write protection features are usually enforced by the card reader, not by the card itself.

Nanonymous No.7197 [D] >>7232
<CD, mini CD, SD card, atc.
Use a USB stick for the boot partition. Much faster and sturdyier.

Nanonymous No.7202 [D]
>>7195
I thought CF write protection was closer to the hardware than USB's. Not the case?

Nanonymous No.7218 [D] >>7222 >>7232
>>7128
you don't know what you're talking about retard. the BIOS isn't the only thing that is capable of doing this. and why the fuck are you letting people modify your BIOS
>>7134
yes it is you dickfuck. it has full access to everything
>>7139
>calling people freetard because their BIOS doesnt "support WIFI"
what the actual fuck am i reading?
if you're saying it lacks some initialization shit, we can just reverse engineer and copy that part from the proprietary BIOS
and none of this has anything to do with "freetard" since we're talking about security here, unless you define "freetard" to include anyone who cares about basic security
>>7140
>This chan is literally freetard ideals incarnate.
No, "freetard" is a completly different than thing "wahhh the dev is gay".

Nanonymous No.7222 [D]
>>7218
>No, "freetard" is a completly different than thing "wahhh the dev is gay".

I think you misunderstood what I meant there.
Freetard = good.

Nanonymous No.7232 [D] >>7233
>>7180
>False, try using Ctrl-F, literally on the top of the Libreboot page where it is linked it says "Desktops.
Gigabyte GA-G41M-ES2L. modern intel botnet with ME
Intel D510MO. modern intel botnet. doesn't support graphical output
ASUS KCMA-D8. full size ATX elephant. doesn't support graphical output.
Intel D945GCLF. modern but without ME. libreboot page says it cannot use Full Disk Encryption, so it's useless
Apple iMac 5,2. "Information to be written soon"
ASUS KFSN4-DRE. expensive server board. E-ATX. doesn't boot from USB devices.
ASUS KGPE-D16. expensive server board. E-ATX. doesn't support graphical output
so not a single one is usable

>Then get a Talos II or something.
fuck 30-core overpriced Talos II. instead just buy old shit without Management Engine

>>7186
>I see no problem on carrying a CD-R, are you trying to fit it on your pocket?
yes. or into my underwear

>>7197
>Use a USB stick for the boot partition. Much faster and sturdyier.
but won't BIOS or operating system overwrite it and modify my bootloader? USB stick will not be read only

>>7218
>the BIOS isn't the only thing that is capable of doing this.
what else is?

Nanonymous No.7233 [D] >>7276
>>7232
PCI option ROM for example. and people say hard drive firmware
nigger you could literally solder on some shit somewhere or replace one of the 5000 devices in the PC.
or replace RAM with a computer that outputs a malicious program somewhere that wll be executed
basic phyics motherfucker do you know it

Nanonymous No.7234 [D] >>7243 >>7275
I'm using luks for Linux encryption. What's the best full disk encryption for Windows?
Also I'm using veracrypt for non-bootable encryption, is there a better option?

Nanonymous No.7237 [D] >>7243 >>7276
>instead just buy old shit without Management Engine

So you deride the Libreboot stuff for being not modern enough, but your solution is to buy not modern hardware.

Okay.

Nanonymous No.7243 [D] >>7244 >>7276
>>7234
>What's the best full disk encryption for Windows?
Not using windows at all. Windows can write malware on your linux boot partition if it wants to.

>>7237
> So you deride the Libreboot stuff for being not modern enough, but your solution is to buy not modern hardware.
Stupid people are being stupid. If was smart, he'd code his own stuff, and would be able to find workarounds for many of the challenges he's proposing. But he isn't, so he complains just like a bitch.

Nanonymous No.7244 [D][U][F] >>7246
File: 88c2839ee1db2925c0a54a42deef24e8417f3bf50cc33f2ef26d7d8334c149f8.png (dl) (413.91 KiB)
>>7243
>LE EBIN SMERT pepulz spend 10000 hours designing hardware and coding drivers just so that he can access some random shitposting website with 0.0000001% more anonymity
cringe and bluepilled

Nanonymous No.7246 [D][U][F] >>7248 >>7290
File: 3759895e8d9940fb2ee80c9da2804dc231f7c4bcd9459f09208bb959b1c666ef.jpg (dl) (894.03 KiB)
>>7244
>LE EBIN BIG BOY USE BIG BOY OS spend $4000 to run anything at all with decent perf spend 1000 hours at PoS job spen 1000 hours rebooting for forced updates and recovering lost work

Nanonymous No.7248 [D][U][F]
File: 70a16dc3700c89930c1dcfb48a15fd532bd7b3064febb9cc232fce81d2153b06.jpg (dl) (147.22 KiB)
>>7246
Ok, so
>Le autist
spends 10,000 hours designing hardware and coding drivers
probably spent a few thousands $$$ for hardware and circuitry
total time spent: 10,000 hours + some money
>Le normie
spends 1,000 hours at job to earn $4,000 (earning $4/hour)
spends 1,000 hours rebooting
total time spent: 2,000 hours
Seems like we have a winner. Freetards BTFO

Nanonymous No.7275 [D]
>>7234
>I'm using luks for Linux encryption. What's the best full disk encryption for Windows?
you can use:
TrueCrypt
DiskCryptor
VeraCrypt
read about them and choose. VeraCrypt for FDE is bad because it takes too long time to hash the password

Nanonymous No.7276 [D] >>7288
>>7233
>PCI option ROM for example. and people say hard drive firmware
>nigger you could literally solder on some shit somewhere or replace one of the 5000 devices in the PC.
>or replace RAM with a computer that outputs a malicious program somewhere that wll be executed
out of those, BIOS seems to be easiest and doesn't replace any physical item

>>7237
>So you deride the Libreboot stuff for being not modern enough, but your solution is to buy not modern hardware.
nobody said anything about Libreboot being not modern enough. I want trannyboot to support non-botnet hardware (so no Management Engine or PSP) and support basic things like USB, PCI, graphical output, SATA, mouse, keyboard, FDE

>>7243
>If was smart, he'd code his own stuff, and would be able to find workarounds for many of the challenges he's proposing.
code what? BIOS? I don't have time for that I have more important stuff to do.
someone already works on coreboot and libreboot, but that work is useless for now

Nanonymous No.7288 [D] >>7307
>>7276
Old hardware isn't gonna support booting from USB, or SATA.

Nanonymous No.7290 [D]
>>7246
>using a macbook
If that guy was a real Razer fan, WHERE THE FUCK IS HIS RAZER BLADE, AND RAZER CHRISTINE!?!?!?!??!?!?! lmao

Nanonymous No.7307 [D]
>>7288
>Old hardware isn't gonna support booting from USB, or SATA.
"old" can mean a lot of things
SATA support was even on some/most DDR1 motherboards
and if there is only PATA you can use adapter