BareMetal Security

Project Discussion
1

Hi,

So far I really like Fedora CoreOS and I am using it on a few BareMetal installations with Clevis.
To my knowledge you can decrypt the disk as soon as you managed to boot an OS on the hardware. (because you have access to the TPM and can read the luks header)
I have done a few things to keep anyone from reading the disk or booting something else:

  • root luks (clevis tpm2) as described in the docs here
  • removed ignition leftover after the setup (/boot/ignition) as it contains sensitive data and the boot partition is not encrypted
  • added grub2 password to the static grub.cfg (I don’t want anyone booting into single user mode)
  • enabled secure boot (seems to be working out of the box with shim)
  • restricted BIOS access, boot options, etc. (not related to fcos)

Is there anything else I can do? Do you have any tips?

Thanks & Regards,
Phil

3 Likes
2

It’s a wide topic and I’m planning to get back to you on this but have not been able to find the time yet. This is very dependent on your threat model and what you want to be able to protect your system from but your setup looks like a very good start.

1 Like
3

Just to get an idea, run Lynis and see what hardening sounds reasonable for your use case.

To make Luks even better, I played with some udev rules detecting AC is plugged out (laptop as a server) and then immediately shutting down the laptop. Nothing tested yet though.

I also thought about using an esata port only and blocking all usb ports, threat model. Esata cables seem pretty rare.