1

I'm going to move my /boot/ folder to a USB to as a security measure to protect against Full Disk Encryption exploits. My question is, is it possible to only allow boot from USB from a single USB device and not any USB that is plugged in?

Thanks all

James

user843521
  • 61
  • 1
  • 4
  • What are the FDE exploits you want to prevent? – R15 Nov 28 '14 at 09:04
  • Have you considered burning it to a CD instead and booting off of that? – Jenny D Nov 28 '14 at 09:26
  • @R15 This link https://twopointfouristan.wordpress.com/2011/04/17/pwning-past-whole-disk-encryption/ explains the process much better than I could – user843521 Nov 28 '14 at 10:28
  • @JennyD Unfortunately on a Netbook that does not have a built in CD/DVD drive – user843521 Nov 28 '14 at 10:29
  • Second question: What is the purpose of disabling booting off of other USB devices? Since your disk is encrypted, those devices shouldn't be able to read it anyway, right? They could *destroy* the data, but not actually get at it - and if you have backups, the destruction isn't a big deal. – Jenny D Nov 28 '14 at 10:34
  • A TPM will check the hashes of the boot sector of the USB drive, in there install a bootloader that further extends the chain of trust by checking the hashes of the initrd/initramfs and only then releases the encryption key. Any tampering with the USB drive will change the hashes and prevent the TPM from giving the key, so your data will be safe. –  Nov 28 '14 at 16:14

2 Answers2

3

I doubt this is possible to set up in the BIOS. However, even if it was, you have a bigger issue: The only way to identify a USB device is by its vendor and device ID. However, all devices by a specific vendor share the same device ID. So even if you could whitelist your own USB, any USB of that same make would also be accepted. Also, I'm pretty sure it's easy to spoof these IDs so even if you didn't have the USB device of the same make, you could spoof it.

mart1n
  • 345
  • 2
  • 12
0

You could make use of the secure boot feature present in many computers, if the netbook does support it and the manufacturer hasn't locked it to Microsoft Boot Keys.

What you could do then, is clearing the Secure Boot key database, and then making your own signing key and installing in the BIOS as PK (Platform Key) and KEK (Key Exchange Key).

After this, you sign the /boot/ software on the USB with these keys.

This will not lock out any other USBes from booting your vomputer, so if someone manage to copy your USB key, they can use their own copy. But they can't modify the boot software to for example leak the FDE key, log the password or insert exploits in your encrypted OS.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33