Hi, currently the PureBoot does not detect new files added to the /boot partition. This could be problematic if malware modifies MBR/GPT data and adds new malicious GRUB-related file to /boot.
AFAIK there are two modes possible with PureBoot which uses GRUB:
- BIOS-mode GRUB on MBR
- BIOS-mode GRUB on GPT
- (unsupported EFI-mode GRUB on MBR and EFI-mode GRUB on GPT)
Also boot loader can be installed on MBR or /boot partition (two options in the GUI Installer, third option is “do not install”). However it could be installed on other disks or partitions as well.
Here is schema of the supported modes:
GRUB-related files are documented here: https://www.gnu.org/software/grub/manual/grub/html_node/Images.html#Images
1. Does PureBoot detect changes to all GRUB-related files listed above?
2. Does PureBoot detect changes to MBR sector in both modes?
3. Does PureBoot detect changes to boot sector of a partition in both modes?
4. Does PureBoot detect changes to GPT sector in mode BIOS-mode GRUB on GPT?
5. Does PureBoot detect changes to other data in both modes?
I found this interesting project which generates checksums and backs-up /boot, MBR and BIOS: https://schlomp.space/tastytea/hashboot
hashboot hashes all files in
/bootand the MBR to check them during early boot. It is intended for when you have encrypted the root partition but not the boot partition. The checksums and a backup of the contents of
/bootare stored in
/var/lib/hashbootby default. If a checksum doesn’t match, you have the option to restore the file from backup.
6. Is it feasible to implement tamper detection of every piece of data (file or raw) in the boot process in PureBoot?