what is the point of Full Disk Encryption if your bootloader is not encrypted and can be modified to send or save your password in plaintext?
how to achieve read-only bootloader?
also, your bios or uefi can just read the keys you type when entering a password
the point is not to protect you against your own hardware. that is impossible. the point is to protect your data in the event that your disk is stolen from your computer, or if your whole computer is stolen. this is the most common situation in e.g. criminal theft, or fbi raids of your house.
>>7129 >the point is not to protect you against your own hardware. that is impossible.
it has to be possible
>the point is to protect your data in the event that your disk is stolen from your computer, or if your whole computer is stolen.
what if they first modify your bootloader with UEFI, malware, HDD firmware, to make it store password in unencrypted way?
>this is the most common situation in e.g. criminal theft, or fbi raids of your house.
what if fbi enters your home quietly when you are at workplace, modify your bootloader, wait for it to read password and store in plaintext, then raid your house
>>7134 >That's not how the bios or uefi works.
that's exactly how bios and uefi works. uefi is fully backdoored and runs keyloggers 24/7, has network access, it records when you type password and sends it to Israel
>>7136 >Use Libreboot or Coreboot.
how do you use it if it doesn't support any hardware and motherboards?
also, what if someone replaces your libreboot/coreboot to modified version, that contains backdoors and keyloggers?
>>7139 >physical insecurities cannot be overcome by software.
then lets overcome them in another way
>muh trannyboot that doesn't even support wifi
how can it not support wifi? wifi is a pci/usb device like any device. or do you mean that it doesn't replace wifi firmware with free one?
>There's plenty of wifi cards that work with libreboot and coreboot, according to the amount of systems that are supported.
if they support PCI and USB, shouldn't they support all devices?
>And if you are worried your bios might look into your shit, not replacing the bios would be retardation of the highest degree.
you can't replace bios with coreboot and libreboot, they don't support any hardware
If you're concerned about THAT, you are better off just stopping to use that consumer hardware, particularly PCs in your case.
Encrypting bootloader would require to store the key/passphrase and crypto libs somewhere before bootloader, i.e. in BIOS/UEFI. Well, USB stick could do as well, but that would have to be unencrypted then.
RO bootloader would require a different bootloader design, aimed at much less flexible systems. Though this flexibility could be handled somewhere else, obviously.
Contemporary bootloaders handle as much as filesystems to load the kernel or ntldr or bootmgr whatever, but now UEFI is a standard to do UEFI-based boot, for example, since it uses fat32 FS uniformly.
>what is the point of Full Disk Encryption if your bootloader is not encrypted and can be modified to send or save your password in plaintext?
what is the point of encrypting the bootloader if someone can just dd a new visually identical one
>how to achieve read-only bootloader?
Write it into read-only media, CD-R is the cheapest option
>also, your bios or uefi can just read the keys you type when entering a password
>not using front panel switches to boot
OP: this is called secure boot or trusted boot. The anon >>7134 already mentioned Heads project, which eliminates the need for many boot mechanisms (together with linuxboot). For secure boot, read this:
https://sable.critical.com/
>if they support PCI and USB, shouldn't they support all devices?
On certain Thinkpads and maybe others you have to replace the wifi card with an ATMOS or something.
1,1 and 2,1 Macbooks do not have this issue.
Not sure about the others.
USB is separate I think.
>you can't replace bios with coreboot and libreboot, they don't support any hardware
See above.
>>7143 >Put your bootloader on a flash memory and shove it in your ass
I would feel safer if that memory was read only. how to make it?
also, what if bios and uefi read keys entered and send them to Tel-Aviv?
>>7147 >If you're concerned about THAT, you are better off just stopping to use that consumer hardware, particularly PCs in your case.
yes, goyim, if you need security then don't use anything, we win with you!
>Encrypting bootloader would require to store the key/passphrase and crypto libs somewhere before bootloader, i.e. in BIOS/UEFI. Well, USB stick could do as well, but that would have to be unencrypted then.
bios/uefi cannot be trusted, they are backdoored from factory and someone can modify them even further
>>7150 >Write it into read-only media, CD-R is the cheapest option
any other options? I would prefer something you can carry with you
>>7163 >That was his point. Physical insecurities need to be overcome with physical security.
then lets do this. post instructions
>>7166 >https://libreboot.org/docs/hardware/#list-of-supported-hardware only intel laptops with Management Engine and other botnets. no desktops.
if you say it removes ME, there is no proof it removes it fully and enough, also there might be more backdoors than ME in these (((modern))) platforms
>https://coreboot.org/status/board-status.html mostly shit with ME or PSP. and coreboot requires them to run
almost only (((modern))) hardware supported
PC with prioprietary BIOS but no ME/PSP is safer than PC with coreboot but ME/PSP. ME is a separate processor that has unlimited access to PC. coreboot in PC with ME is just snakeoil
also they don't seem to test Hibernation. does it work? PC without hibernation is useless
SecureBoot is designed to protect DRM. not so much to actually protect the user. It is to verify that the machine was not modified from the factory to the point where DRM software is used, a supply chain verification.
For actual user protection, you'd need firmware checksums on boot that compared against a user entered one to a known good (audited) firmware.
TPM has unique seeds so there is no reason why the manufacturer couldn't keep those in some database to be referenced by certain glowing people to unencrypt everything.
>>7157 On first glance, sable looks pretty neat. Thanks for the link.
I've coded something based on AntiEvilMaid a few years ago, and I'm pretty happy with it. However, one thing I've noticed is, that the PCRs are not remotely as stable as one would wish for. For example, if you fail to boot once, some PCRs will change due do some changes in the firmware, and the decryption of the secret will fail. If you do not measure those PCRs to achieve stability, at some point you'll not achieve more security, than you would by using the BIOS thingie with the MS-signature. SecureBoot, or what it's called. Which, BTW, is not too bad, because you can exchange the M$ key with your own, and sign your own kernel/bootloader/stuff.
>>7173 Sir, you appear to be as paranoid as you're inapt. You have a shitty situation regarding the trustworthiness of your machine, and you regard all the tools which might improve said shittyness, because they're not good enough for you. What do you expect to achieve on your own, without those imperfect tools? Nothing, I'd assume, but bitching around. Please stop using a computer.
>>7173 >any other options? I would prefer something you can carry with you
I see no problem on carrying a CD-R, are you trying to fit it on your pocket? I'm sure that your boot partition doesn't exceed the size of a CD, therefore you could chop off the external area of it that doesn't look like being written, should be more efficient with a DVD-R
>>7128 you don't know what you're talking about retard. the BIOS isn't the only thing that is capable of doing this. and why the fuck are you letting people modify your BIOS
>>7134 yes it is you dickfuck. it has full access to everything
>>7139 >calling people freetard because their BIOS doesnt "support WIFI"
what the actual fuck am i reading?
if you're saying it lacks some initialization shit, we can just reverse engineer and copy that part from the proprietary BIOS
and none of this has anything to do with "freetard" since we're talking about security here, unless you define "freetard" to include anyone who cares about basic security
>>7140 >This chan is literally freetard ideals incarnate.
No, "freetard" is a completly different than thing "wahhh the dev is gay".
>>7180 >False, try using Ctrl-F, literally on the top of the Libreboot page where it is linked it says "Desktops.
Gigabyte GA-G41M-ES2L. modern intel botnet with ME
Intel D510MO. modern intel botnet. doesn't support graphical output
ASUS KCMA-D8. full size ATX elephant. doesn't support graphical output.
Intel D945GCLF. modern but without ME. libreboot page says it cannot use Full Disk Encryption, so it's useless
Apple iMac 5,2. "Information to be written soon"
ASUS KFSN4-DRE. expensive server board. E-ATX. doesn't boot from USB devices.
ASUS KGPE-D16. expensive server board. E-ATX. doesn't support graphical output
so not a single one is usable
>Then get a Talos II or something.
fuck 30-core overpriced Talos II. instead just buy old shit without Management Engine
>>7186 >I see no problem on carrying a CD-R, are you trying to fit it on your pocket?
yes. or into my underwear
>>7197 >Use a USB stick for the boot partition. Much faster and sturdyier.
but won't BIOS or operating system overwrite it and modify my bootloader? USB stick will not be read only
>>7218 >the BIOS isn't the only thing that is capable of doing this.
what else is?
>>7232 PCI option ROM for example. and people say hard drive firmware
nigger you could literally solder on some shit somewhere or replace one of the 5000 devices in the PC.
or replace RAM with a computer that outputs a malicious program somewhere that wll be executed
basic phyics motherfucker do you know it
I'm using luks for Linux encryption. What's the best full disk encryption for Windows?
Also I'm using veracrypt for non-bootable encryption, is there a better option?
>>7234 >What's the best full disk encryption for Windows?
Not using windows at all. Windows can write malware on your linux boot partition if it wants to.
>>7237 > So you deride the Libreboot stuff for being not modern enough, but your solution is to buy not modern hardware.
Stupid people are being stupid. If was smart, he'd code his own stuff, and would be able to find workarounds for many of the challenges he's proposing. But he isn't, so he complains just like a bitch.
>>7243 >LE EBIN SMERT pepulz spend 10000 hours designing hardware and coding drivers just so that he can access some random shitposting website with 0.0000001% more anonymity
cringe and bluepilled
>>7244 >LE EBIN BIG BOY USE BIG BOY OS spend $4000 to run anything at all with decent perf spend 1000 hours at PoS job spen 1000 hours rebooting for forced updates and recovering lost work
>>7246 Ok, so
>Le autist
spends 10,000 hours designing hardware and coding drivers
probably spent a few thousands $$$ for hardware and circuitry
total time spent: 10,000 hours + some money
>Le normie
spends 1,000 hours at job to earn $4,000 (earning $4/hour)
spends 1,000 hours rebooting
total time spent: 2,000 hours
Seems like we have a winner. Freetards BTFO
>>7234 >I'm using luks for Linux encryption. What's the best full disk encryption for Windows?
you can use:
TrueCrypt
DiskCryptor
VeraCrypt
read about them and choose. VeraCrypt for FDE is bad because it takes too long time to hash the password
>>7233 >PCI option ROM for example. and people say hard drive firmware
>nigger you could literally solder on some shit somewhere or replace one of the 5000 devices in the PC.
>or replace RAM with a computer that outputs a malicious program somewhere that wll be executed
out of those, BIOS seems to be easiest and doesn't replace any physical item
>>7237 >So you deride the Libreboot stuff for being not modern enough, but your solution is to buy not modern hardware.
nobody said anything about Libreboot being not modern enough. I want trannyboot to support non-botnet hardware (so no Management Engine or PSP) and support basic things like USB, PCI, graphical output, SATA, mouse, keyboard, FDE
>>7243 >If was smart, he'd code his own stuff, and would be able to find workarounds for many of the challenges he's proposing.
code what? BIOS? I don't have time for that I have more important stuff to do.
someone already works on coreboot and libreboot, but that work is useless for now
>>7288 >Old hardware isn't gonna support booting from USB, or SATA.
"old" can mean a lot of things
SATA support was even on some/most DDR1 motherboards
and if there is only PATA you can use adapter
how to achieve read-only bootloader?
also, your bios or uefi can just read the keys you type when entering a password