Re: Protection of boot sector and embedded area

[Michal Suchanek]

2009/9/27 James Courtier-Dutton <address@hidden>:
> 2009/9/26 Vladimir 'phcoder' Serbinenko <address@hidden>:
>> James Courtier-Dutton wrote:
>>> 2009/9/26 Vladimir 'phcoder' Serbinenko <address@hidden>:
>>>
>>>> It's generally a bad idea to chase grub out of MBR+embed area. It often
>>>> results in unreliable configurations. Could you detail your usecase so
>>>> we can seek for a bettere solution?
>>>>
>>>
>>> The other thing sitting in the embedded area is a whole disc encryption 
>>> product.
>>> It takes up about 60 sectors of the 64 sectors of the embedded area.
>>>
>> I guess you speak about truecrypt. In this case the solution I would
>> recommend is to make grub load truecrypt's embedding area from a file on
>> the disk (it probably can be extracted from truecrypt w/o installing
>> booter). It's not a difficult task, just nobody did it yet (volunteers
>> are welcome).
>> Beware that truecrypt is distributed under a license which has legal
>> danger to the end user.
>> https://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt
>> Of course it's your choice to use it or not but I would suggest to avoid
>> such software especially for the data you need to protect
>
> It is not truecrypt.
> I would argue that a "full disk encryption" product should be in the
> boot sector/embedded area and everything else, even grub should load
> after it.
>

Obviously your encryption solution does not encrypt the linux volume
which you boot using the USB stick so it has no reason to be loaded
when loading Linux, it can only cause harm by trying to decrypt what
is not encrypted.

Also as Grub can access the disk drives by various means (BIOS, PCI
device driver, ...) the encryption software would have to hijack all
these access paths transparently which I can't imagine happening.

Thanks

Michal