
Secure USB boot with Debian - meebey
https://www.meebey.net/posts/secure_usb_boot_with_debian/
======
jaclaz
Hmmm, with all due respect, it sounds to me like a solution to a non-problem,
actually making it worse. I mean - speaking of laptops - if you put a password
protection on BIOS after having "forced" the boot from the internal
disk/device you are IMHO a tadbit safer than "forcing" USB boot. Of course
some laptop BIOS passwords can be worked around and of course some Operating
Systems can also be "tricked" during booting, but with some care these can be
patched or avoided, but allowing (actually "forcing") USB booting represents -
as I see it - a much "wider" attack surface. On the other hand, you lose your
keys and you cannot use the laptop while waiting on the porch for the
locksmith to arrive...

------
fulafel
Hopefully Debian or Ubuntu start supporting encrypted /boot soon, the pieces
have been there for a while (such as crypto support in grub).

Arch guys have documented the setup on their wiki:
[https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_an_...](https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29)

~~~
dpiz
Nice. Wasn't aware that was possible. Would you opt for encrypting boot
partitions over isolating them on a USB?

~~~
fulafel
Depends on the implementation of encrypted /boot. If the bootloader itself is
loaded from the host disk[1], your adversary could always just overwrite /boot
and GRUB with something that is actually unencrypted and just pretends to ask
for the password. I guess ideally the system should authenticate itself to the
user somehow. Maybe by presenting its own user-facing password from a list of
one time passwords.

(Of course all this is moot if the bad guy reflashes your bios to execute
everything in a hostile VM or does other shenanigans that physical access
enables... but this requires slightly more sophistication/effort).

[1] I can't tell from the article which device this guy installs GRUB on. Of
course allowing direct boot from USB will have the downside of making it
easier for your adversary to run his own tools.

