HackerTrans
TopNewTrendsCommentsPastAskShowJobs

blastrock

no profile record

comments

blastrock
·작년·discuss
Thanks for the link!

Funny to see that someone already thought of this attack in 2022
blastrock
·작년·discuss
Very clever!

I am the author of one of the older guides https://blastrock.github.io/fde-tpm-sb.html .

I was wondering about the solution you propose which seems a bit complicated to me. Here's my idea, please tell me if I'm completely wrong here.

What if I put a file on the root filesystem with some random content (say 32 bytes), let's name it /prehash. I hash this file (sha256, blake2, whatever). Then, in the signed initrd, just after mounting the filesystem, I assert that hash(/prehash) == expected_hash or crash the system otherwise. Do you think it would be enough to fix the issue?