-1

I am having a problem understanding some security techniques and was hoping someone could clarify some things. For instance, in terms of an evil maid attack, what are some solutions to preventing this? Is booting from removable media a solution to this? What does that entail? Let's say the OS I am using is a Linux live boot system. Does that mean that it is protected from this kind of attack or does booting from removable media mean that I am copying my boot sector on my PC and each time I boot I plug it in and boot that then go on to boot whatever OS that I am trying to use? Would this differ whether I am using a live OS vs an installed OS on my PC?

An evil maid attack affects the BIOS/UEFI of the pc correct? If I am confused, I am wondering what is the best way to protect against malware/spyware in the boot sector of a PC? Does TPM or secure boot help protect against this? I am assuming secure boot does. Also this is specifically regarding Linux as, I do not know if TPM is only for Windows or not or if it can be implemented with Linux.

Other than booting from removable media and what that is/entails, anything to do with hardening your device against physical access attacks using only Linux OS's would be greatly helpful.

If evil maid is booting from removable media, the most secure way to prevent that is by turning off all USB ports in the bios and turning on secure boot or TPM correct? So TPM and secure boot will also prevent someone from installing malware in the BIOS to infect every new system you install. Secure boot and TPM are two different things correct? Do both of them virtually do the same thing? From what you said it looks as if TPM also encrypts the hard drive as well? If so would that be better than LUKS?

My threat model would basically just be wanting to stop anyone from booting from removable media to try and alter the system or installing malware in the UEFI that would install itself after the system is decrypted and booted. So if my system is completely encrypted then that will basically stop anyone from altering the system using removable media correct? Then the only other thing I need to worry about is someone installing malware in the BIOS. So is there a way to put all boot files on a USB drive and have the PC boot from those every time so I know they are safe being that they would be with me all the time? What would be the easiest way as in most likely to work for most Linux systems? Like TPM, Secure boot, USB boot files, etc?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rideboards
  • 559
  • 4
  • 7
  • The gold standard is still to assume that if an attacker has had physical access to your machine, that it is compromised. Disk encryption can prevent contents from being read, but attacks involving modifying the install are still possible (visit and install modified OS, leave, let owner decrypt disk, come back and get password to decrypt, extract). If you want more specific info you'd have to state your expected threats, but for most consumers just encrypting the drive will be sufficient protection from opportunists. – Clockwork-Muse Nov 04 '21 at 06:59
  • If you have completely altered your understanding of the topic, then it might be better to ask a new question. And you have rolled so many questions in to one, and some of then trivial to google answers for, that this is impossible to answer without writing a book. – schroeder Nov 04 '21 at 17:26
  • Yes, thank you. – Rideboards Nov 07 '21 at 01:24

1 Answers1

1

You have it a bit backwards.

The evil maid attack is when the evil maid brings in bootable removable media and boots your system on it and then accesses your filesystem bypassing all privilege checks.

Secure boot makes sure that booted binaries are signed by an external authority. While it does prevent custom things like unexpectedly installed malware from being booted, it doesn't solve evil maid attacks on its own.

TPM allows (among other things) each stage of the boot process to be cryptogrpahically hashed. This covers hashing bios, bios settings, boot loader, boot loader settings, second stage boot loader and config, etc...up the chain.

TPM can also store an encrypted password that can only be decrypted with some subset of the hashes above, so the entire boot chain must have the same hash as previously for the TPM password to decrypt. If that works, then you can use the TPM password to decrypt the hard drive.

Presumably if your entire boot chain is signed for secure boot, and then the hashes match to unlock the password, then it is safe to decrypt the hard drive as you are booting with a known good environment that enforces security as desired.

This last step is what protects from the evil maid.

Linux can support TPM.

user10489
  • 1,217
  • 1
  • 3
  • 13
  • A TPM isn't going to help against an evil maid if only the boot sector/drive is signed - they can just boot via a live disk and read the rest of the drives. – Clockwork-Muse Nov 04 '21 at 06:51
  • Right. You want everything you can capture signed and then the OS drive encrypted. Sufficiently new versions of grub automatically hash and measure everything including the kernel and initrd images and kernel command line. When you bind and seal the password, you can specify which components you want to use the hashes from. – user10489 Nov 04 '21 at 11:11