gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
pie__ has quit [Quit: Leaving]
mighty_vee has joined #nixos-security
pie__ has joined #nixos-security
pie__ has quit [Client Quit]
pie__ has joined #nixos-security
MichaelRaskin has quit [Ping timeout: 258 seconds]
mighty_vee has quit [Remote host closed the connection]
Synthetica has joined #nixos-security
<pie__> random question: does using software FDE mean that if you have a malicious hdd enclosure it cant see data going over the wire?
<ekleog> assuming the malicious hdd isn't doing pci shenanigans, yes
<ekleog> (without this assumption, I don't know and it'll likely depend on whether you have an IOMMU and your specific computer architecture)
<pie__> * i asked in another channel as well,
<pie__> "yes, but a malicious HDD enclosure could mount all sorts of active attacks that FDE isn't really designed to defend against. e.g. it's only with luks2 that you can have authenticated encryption now"
<pie__> i totally failed to think of active attacks
<pie__> ok and also the whol problem with plugging malicious devices into your machine at all
<pie__> sniffing ram over buggy sata implementations or whatever
<pie__> if youre booting off it, attacking the boot loader
<ekleog> you can't be booting off it if it's FDE
<ekleog> unless your UEFI supports decrypting the bootloader, but that's something I've yet to see
<pie__> grub + luks?
<pie__> or rather, theres an implicit unencrypted bootloader part ther
<ekleog> exactly, and it's the unencrypted part that will get attacked
<ekleog> (unless you're doing non-AE encryption, but non-AE encryption is bad in almost all cases -- and that almost is here only because I know of exactly 1 case that would not need it )
pie__ has quit [Quit: Leaving]
pie__ has joined #nixos-security
pie__ has quit [Quit: Leaving]
hmpffff has joined #nixos-security
WilliButz has quit [Quit: WeeChat 2.2]
hmpffff has quit [Quit: Bye…]
WilliButz has joined #nixos-security