Thinking about it I couldn’t really come up with an actual threat that would be the result of writing to /boot without the owner being aware of it (as in tamper detection).
I had some ideas, that seem to be quiet a bit far fetched:
- Some malware/attacker could write information gained while the system is running to /boot to make it available unencrypted on the device. Still the attacker would have to solve the problem of getting to the unencrypted data, but this would open the possiblility to just copy it from that disk when the attacker gains physical access.
- Often there are mechanisems in operating systems that are unknown to users. I’m not aware of anything that could actually be triggered by adding files to boot, but as I wrote - what do I know and what mechanisms will be added in future if they do not exist today.
For me by the definition of ‘tamper detection’ I’d expect to be warned if files would be added or even if data on the partition which does not belong to a file would have been altered.
I’ll try the following: I’ll fill up the free space on /boot with one file containing random data and test
- wheter the full /boot has negative effects on the boot process
- how long it’ll take to check this extra data while booting
Maybe it’s a simple way to improve the tamper detection and extend it to nearly all unencrypted space on the device.