Hi!
Earlier I blogged about being too (little) paranoid.
One of the comments was my unencrypted /boot on my harddrive. So I did something to it. Daniel Baumann told me some stuff at debconf about how to make bootable cd’s with grub – so I had to try to move my /boot to a cdrom instead.
It works.
A quick and dirty howto:
mkdir -p builddir/foo
cp -r /boot builddir/foo
cd builddir
genisoimage -no-emul-boot -boot-load-size 4 -boot-info-table -r -b boot/grub/stage2_eltorito -o boot.iso foo
and now you are not yet up and running. It looks like it, but you have to adapt boot/grub/menu.lst to make it boot from cd.
First issue: boot fails with a “Error 29: Disk Write Error” – I wondered a bit and asked for help around and wondered a bit more why grub wanted to write to my harddrives in order to boot … finally solved it with help from the Super Grub Disk Page – it was the savedefault point of all my kernels. Removing that made it boot. So time to remove /boot and trust my cd.
Which was a wrong decision.
All my kernels had root=(hd0,0) so it kind of didn’t work. Changing this to root=(cd) did it – and removing (hd0,0) from my splashimage was also a bit nessesary.
So after this, rebuild the cd again with the genisoimage command mentioned above and now I am up and running completely.
And I of course have secretly marked the cd so evil people can’t replace it without me noticing it.
So what’s next step in my tinfoil covered world ? SELinux? something else? I guess you know how to make comments. Feel free.
/Sune
SELinux.
Russell Coker gave a good talk at LCA this year about things that could be improved in Debian, to improve the security of the distribution as a whole.
I wonder if you are interested to try some of these out and comment on how useful you found them?
Russell mentions this here http://etbe.coker.com.au/2007/01/15/lca-talk/,
the details are here:
http://www.coker.com.au/selinux/talks/lca2007/security-improvemnts.pdf
Thanks for this great info. I was able to get my boot partition to cdrom by following your instructions. Next, I would like to have the LUKS Passphrase read from the cdrom so I don’t have to enter it during startup. Do you know how to accomplish this?
Jim:
I have absolutely no clue. As I leave my cd in my computer always (And check on boot wether it is the right one), it doesn’t actually do anything good to my setup to have that.
This doesn’t sound feasible but I am kinda noobish so I thought I’d ask some people who have a DEEP grasp on things… Any ideas on ways of keeping the HD from even looking like it has a partition on it? For plausible deniabilitys sake.