Protect/detect tampering of MBR/GPT data with PureBoot/Heads

Hi, currently the PureBoot does not detect new files added to the /boot partition. This could be problematic if malware modifies MBR/GPT data and adds new malicious GRUB-related file to /boot.

AFAIK there are two modes possible with PureBoot which uses GRUB:

  • BIOS-mode GRUB on MBR
  • BIOS-mode GRUB on GPT
  • (unsupported EFI-mode GRUB on MBR and EFI-mode GRUB on GPT)

Also boot loader can be installed on MBR or /boot partition (two options in the GUI Installer, third option is “do not install”). However it could be installed on other disks or partitions as well.

Here is schema of the supported modes:

GRUB-related files are documented here:

  • boot.img
  • diskboot.img
  • cdboot.img
  • pxeboot.img
  • lnxboot.img
  • kernel.img
  • core.img
  • *.mod

1. Does PureBoot detect changes to all GRUB-related files listed above?
2. Does PureBoot detect changes to MBR sector in both modes?
3. Does PureBoot detect changes to boot sector of a partition in both modes?
4. Does PureBoot detect changes to GPT sector in mode BIOS-mode GRUB on GPT?
5. Does PureBoot detect changes to other data in both modes?

I found this interesting project which generates checksums and backs-up /boot, MBR and BIOS:

hashboot hashes all files in /boot and the MBR to check them during early boot. It is intended for when you have encrypted the root partition but not the boot partition. The checksums and a backup of the contents of /boot are stored in /var/lib/hashboot by default. If a checksum doesn’t match, you have the option to restore the file from backup.

6. Is it feasible to implement tamper detection of every piece of data (file or raw) in the boot process in PureBoot?

Is this not what the librem key is for?

Librem Key is one element used in the PureBoot (secure boot proces or set of tools to increase protection)

PureBoot is Purism’s cutting edge, complete secured boot process and combines a number of technologies including:

  • Neutralized and Disabled Intel Management Engine where only the code absolutely essential for the system to boot is left in the ME.
  • Coreboot the free software BIOS replacement.
  • A Trusted Platform Module (TPM) chip
  • Heads our tamper-evident boot software that loads from within coreboot and uses the TPM and the user’s own GPG keys to detect tampering within the BIOS, kernel, and GRUB config.
  • Librem Key our USB security token that integrates with Heads to alert the user to tampering with an easy “green light good, red light bad” process.
  • Integration between the Librem Key and LUKS disk encryption so you can unlock your disk with your Librem Key.

I did not found information that PureBoot tamper-detects MBR/GPT related data. That is why I created this thread to discuss this.

not possible without detection. Pureboot doesn’t use the MBR/PBR to determine the location of grub cfg files - it reads grub.cfg directly from /boot. MBR vs GPT doesn’t matter, nor do any partition flags.

Change the partition containing /boot? Those files won’t be signed / boot will fail validation.
Change grub.cfg? Will fail signature check at boot
Add other files? Irrelevent, won’t be used unless directly referenced by grub.cfg, which is hashed/signed with the LK

sure, but it’s as waste of time and doesn’t improve security, which is why we don’t do it

1 Like