Veracrypt Hidden OS on EFI/GPT Syestem (V1.0)

Total Page:16

File Type:pdf, Size:1020Kb

Veracrypt Hidden OS on EFI/GPT Syestem (V1.0) VeraCrypt Hidden OS on EFI/GPT syestem (v1.0) By Felis in addition to DJ Bonez manual, special thanks to kavsrf on sourceforge.net 1. Create 4 sequential partitions a. Outer_Start (outer volume to be mounted as ordinary volume, FS: any) b. H_ESP (EFI system partition for hidden OS, FS: FAT32) c. H_OS (partition for hidden OS, FS: NTFS) d. Out_End (outer volume to be mounted as hidden volume, FS: any) 2. Convert ESP type to recovery volume in decoy OS 3. Convert H_ESP type to make it ESP 4. Install hidden OS and VeraCrypt in H_OS 5. Start system encryption At this step you will create Rescue USB, dont forget to copy shellx64.efi to the USB (See Q&A section for details). System will reboot to test preboot authentication before encrypting. At this moment proceed to next step 6. Boot from rescue USB with EFI shell 7. Modify encryption range to include outer volumes EFI\VeraCrypt\DcsCfg.dcs -oshideprep -rnd 2 A list of partitions will be displayed (order is same as in Windows Disk Management) a. Start outer: number of Outer_Start b. End outer: number of Outer_End c. Wipe data? Yes for wiping outer volumes with random data d. Init outer headers? Yes e. Password? Fake_Password1 for mounting outer (outer start) as ordinary encrypted volume f. Select algorithm for encryption and hash of outer volumes (e.g. AES, XTS, SHA-512) g. Save outer? Yes h. Password? Fake_Password2 for mounting outer (outer end) as hidden volume i. Save outer? Yes j. Update main encryption header? Yes (use password for H_OS here) k. Encrypted GPT file name: gpt_enc l. Create one hidden volume? Yes m. Hidden GPT file name: gpt_hos 8. List disks and select number of authorization USB/partition EFI\VeraCrypt\DcsCfg.dcs -dl 9. Wipe security regions container of <N> possible security regions on authorization USB/partition <usbN> EFI\VeraCrypt\DcsCfg.dcs -srw <N> -ds <usbN> -rnd 2 10. Mark USB <usbN> as security regions container for <N> possible security regions EFI\VeraCrypt\DcsCfg.dcs -srm <N> -ds <usbN> 11. Encrypt GPT with hidden OS password before adding to security region (use -rnd to generate salt) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -aa -pe -ps -rnd 2 12. Add GPT to security region <N> on authorization USB <usbN> EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -sra <N> -ds <usbN> 13. Boot H_OS and finish system encryption After system encryption windows will fail to boot again and will ask for repairing options if you will try to reboot, it’s ok! Just proceed to next step. 14. Boot from rescue USB with EFI shell 15. Update GPT table to hide H_OS and H_ESP on disk driveN. It may be a good Idea to make a GPT backup before this step. EFI\VeraCrypt\DcsCfg.dcs -pf gpt_hos -ds <driveN> -pa 16. If VeraCrypt boot loader is missing from boot menu, boot from rescue USB and “Restore VeraCrypt loader to boot menu” 17. If failing to boot into decoy OS, boot from decoy OS rescue USB and “Restore OS header keys” to disk 18. Convert ESP of decoy OS from recovery type to EFI 19. To be able to boot into decoy OS when authorization USB is installed boot from rescue USB with EFI shell. If you don't need this option skip steps 20-24, then you will only be able to boot to hidden os when authorization USB is installed. Before next steps make sure you can boot into decoy OS. If not - try “Restore OS header keys” to disk 20. Save GPT from system disk <N> to file “gpt_decoy” EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy -ds <N> -ps 21. Remove GPT info from gpt_decoy EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy - pz -ps 22. Encrypt gpt_decoy with decoy OS password (use -rnd to generate salt) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy -aa -pe -ps -rnd 2 23. Add gpt_decoy to security region <N> on authorization USB/partition <M> (Use different SR number than it was for hidden OS) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_decoy -sra <N> -ds <M> 24. Edit DcsProp config keys in VeraCrypt loader on ESP SecRegionSearch=1 ​to search for authorization USB/partition marked with keys DcsBootForce=1 t​o boot even if authorization USB/partition was not found 25. Restart and test encryption by different ways a. No authorization USB + password of decoy OS → boot decoy OS b. No authorization USB + password of hidden OS → authorization error c. Authorization USB + password of decoy OS → boot decoy OS d. Authorization USB + password of hidden OS → boot hidden OS 26. From decoy OS launch VeraCrypt and mount outer volume using Fake_Password1 (from step 7.e) to letter <L> 27. Quick format mounted volume with exFAT (Don’t format outer partition on disk! Also be sure to use quick format not to damage the hidden data. Formatting with NTFS will damage hidden data).From elevated command prompt execute Format <L>: /FS:exFAT /Q 28. Place some decoy files to <L>. (Don’t place more files than outer_start size, to avoid overwriting H_ESP and H_OS data!) 29. Dismount outer volume. 30. Mount outer volume using Fake_Password2 (from step 7.h) to letter <L> 31. Format using any FS, place decoy files and dismount. Q&A section Unsorted answers for some questions that may occur while installing and playing around with VeraCrypt. Just to save you some time and curiosity. Q: How to convert ESP type to protect it? A: You can use d​iskpart t​o change partition type. Launch diskpart on decoy OS or on WinPE and select required disk and partition: diskpart list disk select disk <N> list partition select partition <M> to change partition type to “recovery” use: set id="DE94BBA4-06D1-4D40-A16A-BFD50179D6AC" to change partition type to “ESP” use: set id="C12A7328-F81F-11D2-BA4B-00A0C93EC93B" to know more about partition types in GUID read: https://en.wikipedia.org/wiki/GUID_Partition_Table Q: How to edit config keys in VeraCrypt loader? A: There are two possible ways. Via VeraCrypt application itself. Go to Settings->System encryption->Edit boot loader configuration. Via mounting ESP partition and editing DcsProp. In command prompt execute: diskpart list disk select disk <N> list partition select partition <M> assign letter=<L> exit This will mount ESP with letter <L>. But usually explorer.exe will not have permission to edit this partition so you will have to restart it with administrative privileges: from elevated (run as admin) command prompt run: taskkill /im explorer.exe /f explorer.exe Now just open explorer and go to <L>:/EFI/VeraCrypt and open DcsProp Q: How to get list of logical disks in command prompt? A: w​ mic logicaldisk get name Q: Why should I create more than one security region on authorization USB / partition? A: Number of SR initialized hides real number of OS installed. Also you can save header of decoy OS to SR, or create several hidden OS’s Q: Is there more information about DcsProp and it’s flags? A: Yes. There is a D​ csProp.example ​file which describes all possible flags. You can download it from here: l​ink Q: What is EFI shell and how to boot to it? A: You can get it from here: l​ink for x64 Download the file, rename it to shellx64.efi and place it to rescue USB root. Don't forget that rescue USB must be formatted with FAT32. Q: What else can I do in EFI shell? A: Read this: l​ink Q: I want to know more about EFI A: Here is a good longreed about EFI: l​ink Q: What can I do with DcsCfg.dcs? A: Here goes a manual on DcsCfg and it’s switches: l​ink Q: What is fs<N> in EFI shell? A: FAT32 formatted block devices, or/and CD-ROM, Floppy disk etc. Q: What is a Security Region (SR), is there any documentation on it? A: Security Regions were defined by VeraCrypt creators to support HOS and improve the concept of the volume encrypted header with keys. SR can contain configuration data (e.g. GPT). The structure of SR is: sector 1 - header wit keys (pwd encrypted) sector 2 - table of extra data (header key encrypted) sectors with GPT (header key encrypted) sectors with execute parameters (header key encrypted) Q: Is it necessary to store SR at the beginning of the disk / USB stick? A: SR can be saved to any block device (disk or partition). Q: Is there any tool for Windows to read/write directly to the disk bypassing filesystem? (e.g. to sector 62) A: You can use dd tool for Windows: l​ink Please read manuals carefully, It’s fairly easy to destroy your data with dd. Q: Does “Remove VeraCrypt loader from boot menu” option from rescue USB remove VC bootloader files from ESP? A: No. It only removes loader from menu. Q: Does “-ps” flag from DcsCfg save entire GPT table from selected disk? A: No. It saves partitions only. You can not use it to backup entire GPT. (e.g. you will not be able to restore GPT on disk from file created by -ps after cleaning the disk) Q: Any examples on how to use dd? A: Download dd.exe and place it into C:\ from elevated command prompt execute dd --list This will return you a list of Win32 volumes and available block devices (Fig. 1) It is important to run dd from elevated command prompt, eiser you won't see block devices. “Partition0” is always the entire disk. To dump sector 61 to file s61.img on C:\temp execute dd if=\\?\Device\Harddisk0\Partition0 of=C:\temp\s61.img skip=61 count=1 bs=512 To write from file s62.img to disk use dd if=\\?\Device\Harddisk0\Partition0 of=C:\temp\s62.img seek=62 count=1 bs=512 Figure 1.
Recommended publications
  • Deploying UEFI‐Aware Operating Systems on Dell™ Poweredge™
    Deploying UEFI‐Aware Operating Systems on Dell™ PowerEdge™ Servers By Anand Joshi, Bill Munger, Mark Shutt, Thomas Cantwell, and John Sieber THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. © 2009 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell. Dell, the DELL logo, and the DELL badge, and PowerEdge are trademarks of Dell Inc. Microsoft, Windows, Windows Server, and Active Directory are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.; SUSE is a registered trademark of Novell, Inc., in the United States and other countries. Page ii Table of Contents History ........................................................................................................................................................................... 2 What is UEFI? ................................................................................................................................................................. 2 What UEFI has to Offer .................................................................................................................................................. 3 How is Dell’s UEFI implemented? .................................................................................................................................
    [Show full text]
  • Multiboot Guide Booting Fedora and Other Operating Systems
    Fedora 23 Multiboot Guide Booting Fedora and other operating systems. Fedora Documentation Project Copyright © 2013 Fedora Project Contributors. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https:// fedoraproject.org/wiki/Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries. All other trademarks are the property of their respective owners.
    [Show full text]
  • Booting and Installing the Operating System Grado En Inform´Atica2017/2018 Departamento De Computaci´On Facultad De Inform´Atica Universidad De Coru˜Na
    Booting and Installing the Operating System Grado en Inform´atica2017/2018 Departamento de Computaci´on Facultad de Inform´atica Universidad de Coru~na Antonio Y´a~nezIzquierdo Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 1 / 85 ContentsI 1 Selecting and preparing installation media installing an O.S. installation media preparing the media 2 The boot process booting booting steps 3 Preparing the disks. Basic disk partitioning disks partitions 4 Sharing disks among O.S.s sharing disks among O.S.s 5 Boot loaders lilo grub Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 2 / 85 ContentsII elilo syslinux using removable media Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 3 / 85 Selecting and preparing installation media Selecting and preparing installation media Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 4 / 85 Selecting and preparing installation media installing an O.S. Selecting and preparing installation media !installing an O.S. Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 5 / 85 Selecting and preparing installation media installing an O.S. Installing an O.S. the most common use of O.S.s is having them \installed" onto computers, and being run from the computer's storage devices there are also some \live" O.S.s that don't require installation but usually have limitations concerning what users can do and what software can be added installing is the process by which we put the O.S. files in one (or more) of the storage units of the system, thus allowing the system to execute the OS directly Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 6 / 85 Selecting and preparing installation media installing an O.S.
    [Show full text]
  • Veritas System Recovery Disk Help
    Veritas System Recovery Disk Help About recovering a computer If Windows fails to start or does not run normally, you can still recover your computer. You can use the Veritas System Recovery Disk and an available recovery point or a virtual disk that you created from a recovery point. Note: If you can start Windows and the drive that you want to restore is a non-operating system drive, you can restore the drive within Windows. The Veritas System Recovery Disk lets you run a recovery environment that provides temporary access to Veritas System Recovery 21 recovery features. For example, you can access the recovery features of Veritas System Recovery 21 to restart the computer into its previous, usable state. About recovering a Unified Extensible Firmware Interface (UEFI)-based computer Veritas System Recovery Disk lets you recover the computers that use the Unified Extensible Firmware Interface (UEFI) standard. However, consider the following points when you recover UEFI-based computers: • You must start UEFI-based computers using the 64-bit version of Veritas System Recovery Disk. • When you boot a UEFI-based computer, ensure that the system drive and the boot drive are located on a GPT disk. Similarly, when you boot a BIOS-based computer, your system drive and boot drive must be located on an MBR disk. • You cannot restore backups of the boot partition and the system partition of UEFI-based computers to BIOS-based computers. Backups of UEFI-based computers must be restored to GPT disks. Similarly, you cannot restore backups of the boot partition and the system partition of BIOS-based computers to UEFI-based computers.
    [Show full text]
  • UEFI, Booting & Partition Management
    UEFI, Booting & Partition Management Kelvin Cording July 2018 Unified Extendible Interface (UEFI) • Modern computer and Windows are moving away from the traditional MBR based boot- up processes to hardware and software using UEFI • Win 8 introduced UEFI • If Windows 8 is already installed using Legacy BIOS, it can't be converted to UEFI. A new OS installation is required. Understanding a computer boot up process When you hit the power button of your PC, an execution begins that will eventually load the Operating System into memory. This first execution depends on the partition structure of your hard disk. We have two types of partition structures (or formats): MBR and GPT. The partition structure on a drive defines three things: • The structure of data on the drive. • The code used during startup if a partition is bootable. • Where a partition begins and ends. MBR -Master Boot Record GPT Globally Unique Identifier Partition Table = GUID Partition A comparison of GPT and MBR partition structures A comparison of GPT and MBR partition structures (2) Max partition size in MBR is ~2TB whereas in UEFI it is ~9 ZetaBytes One zettabyte (1021) is approximately equal to a thousand exabytes or a billion terabytes. MBR can have at max 4 primary partition whereas GPT can have 128. MBR can store only one bootloader whereas GPT has a separate dedicated EFI System Partition(ESP) for storing multiple bootloaders. The MBR Boot Process Before the BIOS can detect the boot device, it goes through a sequence of system configuration functions starting with: • Power-on-self-test. • Detecting and initializing the video card.
    [Show full text]
  • Abkürzungs-Liste ABKLEX
    Abkürzungs-Liste ABKLEX (Informatik, Telekommunikation) W. Alex 1. Juli 2021 Karlsruhe Copyright W. Alex, Karlsruhe, 1994 – 2018. Die Liste darf unentgeltlich benutzt und weitergegeben werden. The list may be used or copied free of any charge. Original Point of Distribution: http://www.abklex.de/abklex/ An authorized Czechian version is published on: http://www.sochorek.cz/archiv/slovniky/abklex.htm Author’s Email address: [email protected] 2 Kapitel 1 Abkürzungen Gehen wir von 30 Zeichen aus, aus denen Abkürzungen gebildet werden, und nehmen wir eine größte Länge von 5 Zeichen an, so lassen sich 25.137.930 verschiedene Abkür- zungen bilden (Kombinationen mit Wiederholung und Berücksichtigung der Reihenfol- ge). Es folgt eine Auswahl von rund 16000 Abkürzungen aus den Bereichen Informatik und Telekommunikation. Die Abkürzungen werden hier durchgehend groß geschrieben, Akzente, Bindestriche und dergleichen wurden weggelassen. Einige Abkürzungen sind geschützte Namen; diese sind nicht gekennzeichnet. Die Liste beschreibt nur den Ge- brauch, sie legt nicht eine Definition fest. 100GE 100 GBit/s Ethernet 16CIF 16 times Common Intermediate Format (Picture Format) 16QAM 16-state Quadrature Amplitude Modulation 1GFC 1 Gigabaud Fiber Channel (2, 4, 8, 10, 20GFC) 1GL 1st Generation Language (Maschinencode) 1TBS One True Brace Style (C) 1TR6 (ISDN-Protokoll D-Kanal, national) 247 24/7: 24 hours per day, 7 days per week 2D 2-dimensional 2FA Zwei-Faktor-Authentifizierung 2GL 2nd Generation Language (Assembler) 2L8 Too Late (Slang) 2MS Strukturierte
    [Show full text]
  • Disk Imaging Technologies
    Disk Imaging Technologies Backup and Restoration Challenges Topics • Manufacture Firmware Changes • File System Landscape – UEFI – Introduction to GUID Partition Table (GPT) – Partitions & Limitations • Imaging Utilities Windows & Linux • Full Disk Encryption • Source Web-Links Manufacture Firmware Changes • Industry push to a new standard: – BIOS vs. UEFI • UEFI is to replace and extend the old BIOS firmware. • UEFI is not a new thing. Intel has been working in EFI/UEFI since mid 1990s, and there are vendors like HP or Apple that provided EFI machines since a long time ago. But it is when Microsoft announced Windows 8 that UEFI became the required way to boot the new certified machines. • Secure boot is an extension of UEFI. One of the key points of UEFI is that it can be extended. UEFI has an internal virtual machine that is independent of the architecture that it is using. The standard accepts special binary files compiled for this virtual machine (EFI binaries) that can be executed inside the environment. These binaries can be device drivers, applications or extensions to the UEFI standard. UEFI, in some sense, is like a small operative system that runs when the machine is powered on and whose main task is to find and load another operating system. Unified Extensible Firmware Interface Unified Extensible Firmware Interface (UEFI) is meant as a replacement for the Basic Input/Output System (BIOS) firmware interface ● Initially (1998) designed by Intel for Itanium processor ● Since 2005 managed by the Unified EFI Forum (uefi.org) Source: http://loadays.org/archives/2013/static/slides/Integrating-UEFI-into-rear.pdf Why UEFI? • BIOS has its (aging) limitations – 16-bit processes – max.
    [Show full text]
  • Veritas System Recovery Disk Help
    Veritas System Recovery Disk Help About recovering a computer If Windows fails to start or does not run normally, you can still recover your computer. You can use the Veritas System Recovery Disk and an available recovery point or a virtual disk that you created from a recovery point. Note: If you can start Windows and the drive that you want to restore is a non-operating system drive, you can restore the drive within Windows. The Veritas System Recovery Disk lets you run a recovery environment that provides temporary access to Veritas System Recovery 18 recovery features. For example, you can access the recovery features of Veritas System Recovery 18 to restart the computer into its previous, usable state. About recovering a Unified Extensible Firmware Interface (UEFI)-based computer Veritas System Recovery Disk lets you recover the computers that use the Unified Extensible Firmware Interface (UEFI) standard. However, consider the following points when you recover UEFI-based computers: You must start UEFI-based computers using the 64-bit version of Veritas System Recovery Disk. When you boot a UEFI-based computer, ensure that the system drive and the boot drive are located on a GPT disk. Similarly, when you boot a BIOS-based computer, your system drive and boot drive must be located on an MBR disk. You cannot restore backups of the boot partition and the system partition of UEFI-based computers to BIOS-based computers. Backups of UEFI-based computers must be restored to GPT disks. Similarly, you cannot restore backups of the boot partition and the system partition of BIOS-based computers to UEFI-based computers.
    [Show full text]
  • Testdisk Documentation Release 7.1
    TestDisk Documentation Release 7.1 Christophe GRENIER May 31, 2021 CONTENTS 1 Presentation 1 1.1 TestDisk - Partition recovery.......................................2 1.2 TestDisk - Filesystem repair.......................................3 1.3 TestDisk - File recovery.........................................3 1.4 PhotoRec - File recovery.........................................4 1.5 QPhotoRec - File recovery........................................4 2 Installation 5 2.1 Linux: Installation of distribution package...............................5 2.2 macOS: Installation via Homebrew...................................6 2.3 Official binaries.............................................6 3 Building from source 9 3.1 Compilation environment........................................9 3.2 Cross Compilation environment..................................... 11 3.3 Compilation............................................... 11 4 Creating a live USB 13 4.1 Windows................................................. 13 4.2 Linux (command line).......................................... 13 4.3 Linux (GNOME)............................................. 14 4.4 OS X................................................... 14 4.5 Starting from the USB stick....................................... 14 5 Storage: can I repair it or recover data from it ? 15 6 Starting the tools 17 6.1 Disk image................................................ 17 6.2 Running TestDisk, PhotoRec or QPhotoRec under Windows...................... 17 6.3 Running TestDisk, PhotoRec under Linux...............................
    [Show full text]
  • EFI & GPT Install of Debian & Centos
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE Technical Note: EFI & GPT install of Debian & CentOS 49 Technical Note: EFI & GPT install of Debian & CentOS Toshikazu Aiyama [email protected] A complete procedure from a scratch personal computer(PC) system is described finally arriving fairly modern Unified Extensible Firmware Interface (UEFI), and Globally unique identifiers Partition Table (GPT) based multiple 64-bit linux distribution bootable systems. Basic set up for the firmware sys- tem is described first, then two typical linux distributions install are illustrated as examples. Several configuration files are also attached to ease the install process. Subject classification: boot loader, elilo, GPT, UEFI, linux, debian, CentOS Introduction We will limit our discussion to 64-bit x86 Personal Computer (PC) systems with Unified Extensible Firmware Interface (UEFI) based Read-Only-Memory (ROM). Thus 16-bit, 32-bit, non-x86, or non- UEFI systems should be consulted elsewhere. The installation of a linux Operating Systems (OS)to a traditional BIOS (Basic Input/Output System) MBR (Master Boot Record) based ROM is very well documented elsewhere also. Most of these previous methods imply less than two tera bytes (TB) restriction on a bootable hard disk drive (HDD) size due to MBR data definitions. UEFI systems are still very buggy mainly because their usages are very limited, and partly because they are not used widely even the most of the modern PC ROMs are UEFI based; thus a lot of bugs are left unexamined. Unless you use larger than 2TB HDD to bootstrap the system, you do not need to use UEFI boot capability.
    [Show full text]
  • Uefi Booting Boot Camp
    TUTORIAL UEFI UEFI BOOTING BOOT TUTORIAL CAMP (REBOOTED) Upgrade your the way your system boots without installing a GRAHAM MORRISON distribution or resorting to Grub. e’ve been using the BIOS for decades. It’s to install another operating system. In reality, the as perennial as your keyboard and mouse, Secure Boot cataclysm has yet to materialise, as Wbreathing life into inert hardware when a many PCs still include a traditional BIOS or allow little electricity is applied. These days, the POST status you to disable Secure Boot. The latter option should messages delivered after your BIOS initialises the always be available, and you’ll need to disable Secure system race across the screen so quickly you seldom Boot unless you want to start dealing with signing a get the chance to read the text, making entering bootloader shim. the BIOS itself a mad keyboard-bashing mini-game that more often than not ends with Grub than the Muddy waters configuration menus you’re after. Modern PCs aren’t Another potentially confusing option is something well suited to the old-school charm of the BIOS. They called the Compatibility Support Module. To the user, don’t want to wait for permission, they don’t want low- this will appear as a hybrid between UEFI and the res large white fonts on a blue background. They just BIOS, a magical panacea that seems to allow us to want to get on with the job at hand, and that’s booting forget about UEFI and BIOS completely. You’ll typically your computer.
    [Show full text]
  • CIS 4360 Secure Computer Systems System Boot
    CIS 4360 Secure Computer Systems System Boot Professor Qiang Zeng Spring 2017 Previous Class • What a TPM is: – Hardware protected keys • Endorsement key: for signing (PCR values) • Storage root key: for encrypting storage keys – Crypto-processor • RSA • HMAC • SHA-1 (SHA-2 in TPM 2.0) – PCR • What the TPM can do – Attestation – Sealed storage CIS 4360 – Secure Computer Systems 2 TPM-Based Attestation Example [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] Module Module Module App Module App App BIOS Bootloader OS PCRs TPM KPriv 3 Establishing Trust via a TPM [Gasser et al. ‘89], [Arbaugh et al. ‘97], [Sailer et al. ‘04], [Marchesini et al. ‘04] Guarantees randomModule # Accurate! Module freshness Module A Module Module A Module p App Module p A Module App p p p App K OS Pu p BIOS Bootloader Guarantees BIOS Bootloader b OS Module A real TPM Module A Module p Module p A p p p OS p BIOS Bootloader Sign ( random # ) Kpriv PCRs Guarantees actual TPM logs TPM KPriv 4 BitLocker • At system boot (before OS boot) – Optional: BIOS requests PIN or USB key from user – TPM unseals VMK, if PCR and PIN are correct • PIN is to derive the keyAuth (recall TPM_SEAL) • TPM defends against dictionary attack on PIN • Many options for VMK recovery in certain cases – Disk, USB, paper (all encrypted with password) – Recovery needed after legitimate system change: • Moving disk to a new computer • Replacing system board containing TPM • Clearing TPM CIS 4360 – Secure Computer Systems 5 Previous Class What is Measured Boot? At each stage of system booIng, the code and configuraon for the next stage is scanned and the hash value is recorded in TPM (by extending a specified PCR) CIS 4360 – Secure Computer Systems 6 Previous Class What aacks can you do if you have extracted the private key from a TPM A soSware module can claim itself as a TPM.
    [Show full text]