| zithro
March 16 |
- | - |
Thanks @slcoleman and @enmus to point me as a rude guy ! Just kidding, no offense ^^
For the border crossing, enmus just quoted how it’s done by a security professional (one of the creator of Qubes), and many examples have been given : you don’t need to hide or deny what you don’t have at first.
I’m still interested about the OPAL drives cause they have plenty of applications, but I’m wondering if that would also work as a non-boot drive (ie secondary) ?
Out of the box any Samsung SSD will work as an Opal compliant non-boot drive. You just add an OS if you want one, but you first need to learn how to manage keys and create ranges on the device. Basically you create a range, encrypt it, and then format your partition into that space. Growing partitions may not be possible, I have not played with that.
I’ve (quickly) read a bunch of pages from the 2nd PDF and it is not clear about that : it’s talking about boot sequences, but also that it can be manipulated with ATA commands, so dunno.
The tool to use is sedutil or msed. I don’t remember which tool came first/second. One of them will likely come with your os distribution and just needs to be installed.
One interesting thing though, if I understood well, is that : in order to boot the shadow MBR, “PC firmware and configuration → MUST not have changed” (p 12-6).
If you create a small partition at the beginning of the drive you may have to count cylinders so that you start the next partition on the MBR partition table in the right spot. What we did was create a partition on the regular MBR, unlock the shadow MBR and then repeat the same partitioning on the Shadow MBR. After that you format that space and install the first OS (if wanted), or data, and then with the shadow MBR still unlocked create and format the second partition. Once you cycle power that second partition will no longer be visible until you unlock the shadow again. Someone quickly examining the drive will see the data in the first partition but won’t even see the second partition. They will see it only if they get their hands on the machine with the MBR unlocked and still powered up in the machine.
Am I thinking right that using a drive like that would prevent BIOS/UEFI tampering (provided it’s clean prior to the disk setup) ?
If the drive range is set to cover the boot partition then set to read only then you won’t be able to write any boot files. You need to remove the ro attribute from that range to update it. You should be able to boot from it as read only unless something needs to write there for some reason. Some kind of early phase logging? I have not played with UEFI yet so I can’t say.