Understanding FDE: Is the encrypted Linux protected against a compromised boot volume?

Question

I use this initramfs-based FDE on my headless server. My motivation is to secure my system against physical tampering.

I am aware that securing an untrusted hardware is not possible. This question is more about understanding how things work.

The (unencrypted) boot volume appears to be a big hole in my defense. Is there any protection against a boot-partition modification? E.g. a signature?

Bonus Question:

There needs to be an ongoing process to decrypt the system volume in the background, which in turn is based on a "booting"-kernel provided by initramfs. What happens to this booting-kernel, once the (encrypted) system kernel is loaded? How is the decrypting process managed (RAM-access, etc.)? How is the process isolated from the system kernel?

Answer 1

Full-disk encryption protects against theft. That is, it protects against a scenario where an attacker gains access to the device, and the owner loses access to the device at that point.

Full-disk encryption alone does not protect against an active attack where the attacker gains access to the device, but the owner is not aware and continues using the device. It's not just a limitation of Linux's implementation, it's inherent in only doing encryption.

Protecting against an active attack requires some form of secure boot in addition to disk encryption. Secure boot requires the cooperation of the hardware:

• The device contains a tamper-resistant¹ component which contains a secret key R.
• The data on the device is encrypted with a key K derived from R.
• The tamper-resistant component can check the integrity of critical parts of the device, and is only willing to release R if the device hasn't been tampered with. The critical parts include the code that will receive K.

On a PC, this is typically done with a TPM. The TPM contains R and is only willing to release it after checking that the contents of RAM matches expectations.

Both Linux and Windows can use a TPM for secure boot.

¹ _{Tamper-resistant means that if an attacker manages to mess with it, we consider that attacker to be too powerful to defend against.}

Answer 2

The main question is: What's your threat model?

A hard disk getting lost? An attacker stealing the server (or its disks) from the CPD? A hosting company employee going rogue?

What cost are you willing to pay for an enhanced security?

You would get the most assurance by combining a TPM with a user-provided passphrase.

Yes, even a headless server could be provided a boot passphrase: it can get a keyboard or a KVM connected for the boot process. Or alternatively, a usb stick which is inserted for the booting process and then removed.

The main drawback is that such server cannot reboot automatically (in case of maintenance or a power-cut).

Is there any protection against a boot-partition modification? E.g. a signature?

This could be done with Secure Boot and proper chaining. You would probably need to configure it with your own keys.

Note that having a verified boot partition would not prevent an attacker from extracting the disk and their contents.

You could remotely provide the key to the "verified boot partition", but someone who cloned your disk could impersonate the server (basically, create a MITM which syphons the decryption key). You would need to ensure that you are really talking to your server-with-verified-code and not an evil clone. This is surely possible using Intel SGX or similar technologies, but probably not trivial.

Regarding your Bonus question, you boot the final kernel. The initramfs mainly provides some extra modules and scripts. While a two-kernels procedure would be possible, I'm pretty sure you don't have a separate "system kernel", only the one stored at /boot which is the one you are booting into (plus perhaps some older, unused ones).

Little known fact: although it's not of much use in your case, it is possible to have an encrypted /boot, with grub decrypting /boot (and since /boot is encrypted, it can contain the keys to decrypt the rest of the disk, anyway).

Answer 3

Protecting the boot process has been addressed by the UEFI Secure Boot (see a tutorial on how to install Ubuntu using it).

UEFI SecureBoot can be used to verify that the kernel or any other program that is executed during the boot process has not been tampered with. Although, as you already know, an attacker having physical access to your computer means that there's practically no defense against a system compromise.

The rest of your (bonus) questions should probably be asked to unix & linux. However, a quick answer is that you only load one kernel, it is not swapped with another one once the system is loaded. What happens is that the initramfs is used to decrypt the partition that has the operating system filesystem and then discarded, but the kernel stays the same.