My understanding is, the "vulnerability" in evil maid attacks is physical security. So, a discussion of threat model is probably warranted?
How I do it now is put unencrypted /boot and detached luks header on a usb that always stays in my pocket or wallet and gets removed from the computer after boot. I don't do this anymore but storing the hash of files on that drive offline/secure is also a good idea.
But then what if someone tampers with the interface between USB and kernel? I have secureboot for that but still there is a lot that can go wrong. Ultimately, 24/7 video surveillance,chasis intrusion detection and other physical security measures are the best mitigations imo.
A question I have for OP is how secureboot affects this attack, assuming private key for the certs/keys and pin code are secured offline.
1 comment
[ 2.7 ms ] story [ 10.9 ms ] threadMy understanding is, the "vulnerability" in evil maid attacks is physical security. So, a discussion of threat model is probably warranted?
How I do it now is put unencrypted /boot and detached luks header on a usb that always stays in my pocket or wallet and gets removed from the computer after boot. I don't do this anymore but storing the hash of files on that drive offline/secure is also a good idea.
But then what if someone tampers with the interface between USB and kernel? I have secureboot for that but still there is a lot that can go wrong. Ultimately, 24/7 video surveillance,chasis intrusion detection and other physical security measures are the best mitigations imo.
A question I have for OP is how secureboot affects this attack, assuming private key for the certs/keys and pin code are secured offline.