A collection of tools to create an ergonomic and secure encrypted boot-process.
How do you make sure that when your kernel boots that it hasn't been compromised?
An answer to that question could be to have it encrypted, if the bootloader can encrypt and then launch into it, then it hasn't been compromised. As long as the kernel that boots is actually your kernel, and not a replacement.
That brings the question to whether the bootloader can be trusted, it can't.
You can use secure-boot to make sure that it's indeed your bootloaded that runs.
Another solution is to embed your disk-decryption keys in the initramfs of your
encrypted kernel.
This way you know it's indeed your kernel that is running, since it knows how
to decrypt your disks.
Something that's problematic about that is that a malicious bootloader could
for example record your decryption key, use it to decrypt your kernel,
get your disk decryption keys from the initramfs, launch a malicious kernel,
and decrypt your disks with the stolen keys. So secure boot is likely
the best way to go.
This project's overall functionality.
This project contains a bootloader which can decrypt the kernel after
generating configuration using the cli boot-strap which is compiled into the bootloader.
The bootloader can then be signed, again using boot-strap, if that certificate is added, and
secure boot enabled. The very early boot process should be safe.
The bootloader decrypts the kernel and launches the image.
The initramfs, which can be generated by boot-strap, then takes over
and decrypts your disks using the keys saved in the initramfs.
The initramfs is loaded into ram by the kernel, and removed after the early-os-boot process,
when control is handed over to /sbin/init. After load and before removal, the keys reside in RAM and
are vulnerable to low-level attacks.
There are a few steps required to set up boot-rs.
The initramfs can be generated by boot-strap initramfs -i initramfs.cfg -d initramfs.
This will generate an initramfs directory with the appropriate files to unlock a cryptodisk.
Test by running cryptsetup luksOpen --key-file initramfs/crypt.key --test-passphrase <cryptodisk>.
To get initramfs-rs as the init executable, compile it by ./build_init -r then copy it to the initramfs directory as init.
Ex: cp target/release/initramfs-rs /root/initramfs/init.
Build the kernel as usual, but with modules built-in, and with the above generated initramfs built in.
The kernel can then be encrypted using ex:
boot-strap boot -i /usr/src/linux/arch/x86/boot/bzImage -k /boot/EFI/gentoo/gentoo-6.1.19.enc -c boot.cfg -d "HD(1,GPT,f0054eea-adf8-4956-958f-12e353cac4c8,0x800,0x100000)" -p /EFI/gentoo/gentoo-6.1.19.enc.
This will move the encrypted kernel into /boot/EFI/gentoo/gentoo-6.1.19.enc.
Encrypting the kernel generates a configuration file.
Build boot-rs with that file included:
./build-boot --profile lto
Sign the bootloader using any preferred method, and/or copy it directly onto the boot disk ex:
cp target/x86_64-unknown-uefi/lto/boot-rs.efi /boot/EFI/boot-rs.efi.
efibootmgr -c -L "Boot-rs" -l "\EFI\boot-rs.efi" -d /dev/sda1