Bytevolcano,
Maybe I have a more effective solution at hand, what do you think about
this:
The following is for AMD64 though I'd guess that a similar approach
would be possible on other platforms also.
The boot sequence with MBR is:
MBR: Load PBR (unencrypted)
PBR: Load /boot (encrypted)
/boot: Load /etc/boot.conf and follow it, default boot setting is
/bsd of the same disk partition as /boot is stored on.
/bsd: Mount the same disk partition as /bsd is stored on as
read-only root, and run /sbin/init .
/sbin/init: Run /etc/rc .
/etc/rc: Run swapctl to set up all swap disks according to the
fstab, fsck to check all FS:es according to the fstab, then mount -a to
mount all FS:es according to the fstab, and
I think this means that if OpenBSD's "mount" is friendly to remounting
root (while it was previously mounted read-only anyhow) to another disk
partition, then, actually the system provides us with a very friendly
facility for booting off USB, while supporting the use of any disk as
root disk, *even* disks that are *NOT* supported as readable by the host
system's BIOS (and hence couldn't be booted off directly), which is a
useful feature in and of itself.
Therefore I guess a nice way of making a boot USB stick would be either
of:
1)
Add a keydisk partition to it, and a crypto softraid partition with a
root partition, that you unpack base60.tgz to, and then copy over your
host system's /etc/fstab to that partition also, and then run
installboot on it.
I guess that should be everything necessary for OpenBSD to use the HDD
(which is listed in /etc/fstab) as root disk.
Perhaps an even more convenient option would be to alter "rc" to start
with a remount of the / partition to the "a" partition of the first HDD
in the system that has one, as resolved by grepping dmesg or disklabel.
Maybe you'd need to check that the core dump disk configuration is
right.
2)
An alternative approach would be to try to make /boot boot off the
"hd1a" disk via an instruction in /etc/boot.conf , as hd1 should be the
first detected HDD in the system.
In this case the USB's filesystem would only contain /boot and
/etc/boot.conf , no base system or any other file.
It would be smoother to change fstab/disklabel and kernel in this case.
Both these look like thehy would work and be quite clean to me.
Thoughts?
Followup:
On 2017-02-06 11:33, [email protected] wrote:
Hello.
I don't think it will be easy.
First, install OpenBSD on the stick (you probably don't need most of
the sets, just baseXX), leaving enough room for the Softraid keys.
Then set up Softraid as per normal, installing the key disk on the USB,
then install OpenBSD on the Softraid partition with the USB still
inside.
Once finished, do the first reboot from the HDD to get everything set
up initially. Then the next time you reboot, boot from the USB and you
can select which drive you want to boot from.
(Above.)
Alternatively, you could use an external boot loader, and perhaps even
take a SHA1 hash of the first 64KB-1MB of the HDD (which is very
unlikely to change in the course of normal operation). I'm not sure if
there are boot loaders that verify the payload before starting up
though.
Any ideas of software?
You should consider other threats too, such as modification of the
kernel or other OS components without your knowledge, Intel ME, AMD
PSP,
etc.
Yes.
A boot sector virus often needs root access and clever social
engineering tactics, and the right OS support. Many of those scam
emails with ransomware work on Windows/Linux as they provde the right
scripting environments for the installers. These too often either
require admin privileges to set up, or install due to an exploitable
vulnerability.
Sure.
The HDD will still have the MBR + boot sector code on it, but you are
now at liberty to bypass this.
It's unused yes.
On 2017-02-06 11:40, [email protected] wrote:
There is still an elephant in the room.
What if someone has physical access to your machine's USB ports, and
decides to boot something nasty from it, which in turn modifies the
firmware in your system (very likely to be possible due to stupid
"consumer-grade" junk like UEFI or OS-flashable BIOS without hardware
write protection).
This infected firmware can then scan through any keys that you input,
including the USB key disk, and the security of this 'softraid
"firewall"' is now compromised.
Right, booting off USB provides no protection against physical attacks
and nor against broken firmware.
