Every command requires to be performed while logged as root unless explicitely indicated.
Note: Every command requires to be performed while logged as root unless explicitely indicated.
## Some context
When booting a system, different programs are run. As a very rough and simplified overview, for a system supporting UEFI we can say that:
* First UEFI is in control.
* Then it calls an efi application, generally a bootloader (e.g. GRUB) and in our case a customed initramfs.
* The initramfs (or bootloader) then runs the OS (in our case, the Linux Kernel).
UEFI provides a feature called Secure Boot (SB) which signs the efi application with keys stored by UEFI, so that an attacker cannot modify the boot sequence and tamper with what is run on the machine early during the boot process. Such an attack would make the threat undetectable with the classic forensic tools, i.e. from the already booted OS.
Nexedi developped for Rapid.Space a system going further, which scans the filesystem to be mounted by initramfs **during** the initramfs stage, i.e. before the Linux Kernel has taken over, and send the scan to Wendolin for further analysis. To do so, we create a customed initramfs embedding the scanner and sender and we sign it with our own keys. Then, if our keys are enrolled by UEFI, it can verify the integrity of our customed initramfs, loaded by UEFI as an efi application. With this process, we get a complete scan of the to-be-loaded file system each time a server boots. We can detect abnormal file signatures and permissions while being sure than an attacker could not modify the tools we used to create and send the scan.
Note: The scanning tool is called Metadata Collect Agent (MCA), see the project at
