Comment 16 for bug 1773457
Revision history for this message
| Phillip Susi (psusi) wrote Re: [Bug 1773457] Re: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems | #16 |
On 6/22/2018 9:35 AM, Paddy Landau wrote:
> Sorry, no, that's not why I raised this bug report, Phillip. There
> definitely *is* a point in preventing someone from sneaking into your
> office (say, over the weekend), and loading malware in order to either
> modify or steal your data. This type of espionage does actually happen.
>
> Full disk encryption prevents this, because I really don't think that
> you can load a virtual machine into the (at most) 400Kb of free space in
No; it doesn't. At best it makes it slightly more difficult. Also the
ESP typically has a hundred mb of free space, not 400k.
> the ESP and somehow transfer control to the ESP after you've done that.
> The alternative, leaving a USB stick in the machine and hoping that you
> won't notice a strange stick in your machine, is far too obvious to be
> effective.
A usb stick plugged into the back of the computer isn't likely to be
noticed. You can also open up the case and put something inside. Or
for that matter, the stick only needs to be there to boot the computer
once, then it can be removed and the computer even made to go to sleep
and present fake boot screens if desired so that it looks like it is
booting normally when the user returns and turns it on. Or you can very
likely find a chunk of disk somewhere that you can compress to make room
to squeeze the malware onto the hard disk. Or a more sophisticated
attacker may plug in a PCIe card with malware on it, or compromise the
Intel management engine and have full remote control of your computer
over the network that is completely undetectable.
> Please, if you wish to continue this conversation further, please start
> something on the Ubuntu Forums and post the link here. I'll be happy to
> discuss it at length there, because this is taking it way off track on
> this bug report. The bug report is about converting the current halfway
> encryption method to a full encryption method, for all the right
> reasons. Just because someone "might" be able to load a virtual machine
> into the 400Kb of free ESP is hardly a reason to stick with the halfway
> method where someone definitely can load malware into the system.
If you think it's a good idea, then you should post about it to the
ubuntu-devel mailing list to discuss it.