MichaelRaskin has quit [Ping timeout: 258 seconds]
mighty_vee has quit [Remote host closed the connection]
Synthetica has joined #nixos-security
<pie__>
random question: does using software FDE mean that if you have a malicious hdd enclosure it cant see data going over the wire?
<ekleog>
assuming the malicious hdd isn't doing pci shenanigans, yes
<ekleog>
(without this assumption, I don't know and it'll likely depend on whether you have an IOMMU and your specific computer architecture)
<pie__>
* i asked in another channel as well,
<pie__>
"yes, but a malicious HDD enclosure could mount all sorts of active attacks that FDE isn't really designed to defend against. e.g. it's only with luks2 that you can have authenticated encryption now"
<pie__>
i totally failed to think of active attacks
<pie__>
ok and also the whol problem with plugging malicious devices into your machine at all
<pie__>
sniffing ram over buggy sata implementations or whatever
<pie__>
if youre booting off it, attacking the boot loader
<ekleog>
you can't be booting off it if it's FDE
<ekleog>
unless your UEFI supports decrypting the bootloader, but that's something I've yet to see
<pie__>
grub + luks?
<pie__>
or rather, theres an implicit unencrypted bootloader part ther
<ekleog>
exactly, and it's the unencrypted part that will get attacked
<ekleog>
(unless you're doing non-AE encryption, but non-AE encryption is bad in almost all cases -- and that almost is here only because I know of exactly 1 case that would not need it )