Secure boot(against evil-maids) on Lenovo i945 laptops.
2014-10-02 04:08:01 GMT
Hi, Use case: --------- Usually when people do full disk encryption, it's not really full disk, instead they still have a /boot in clear. So an evil maid attack can still be done, in two passes: 1) Clone the hdd, Infect the initramfs or the kernel. 2) Wait for the user to enter its password, recover the password, luksOpen the hdd image. I wanted a real full-disk encryption so I've put grub in flash and I have the following: The HDD has a LUKS rootfs(containing /boot) on an lvm partition, so no partition is in clear. So when the computer boots it executes coreboot, then grub as a payload. Grub then opens the LUKS partition and loads the kernel and initramfs from there. To prevent hardware level tempering(like reflashing), I used nail polish with a lot of gilder, that acts like a seal. Then a high resolution picture of it is taken, to be able to tell the difference. The problem: ------------ But then comes the docking port issue: Some LPC pins are exported there, such as the CLKRUN and LDRQ#. LDRQ# is "Encoded DMA/Bus Master Request": "Only needed by(Continue reading)