Detect Bootloader Tampering

Topics: Feature Requests
Dec 7, 2014 at 12:49 AM
Hello everyone,

Would it be possible to validate the bootloader has not been tampered with after system boot-up for encryption of the system partition/drive?

I am specifically referencing the Evil Maid attack vulnerability.

One thought could be to compare the contents of ISO image on the C drive to the bootloader to make sure there are no differences once the PC boots in an attempt to detect changes to the bootloader.

If a difference is detected, you can issue a warning box that the system has been compromised with instructions to restore the bootloader from the Rescue Disk created during system encryption.

I am open to other ideas.

Thank you!
Dec 7, 2014 at 10:44 AM
Keep checking this thread for previous feature requests and Mounir's response to them.

You will be pleased to learn VeraCrypt will be implementing a removable boot loader :) Yay !
Dec 7, 2014 at 2:13 PM
I hope Mounir can create the bootloader outside the HDD using thumb drives and/or the bootable DVD like the Rescue Disk.

I noticed Mounir's response said the "possibility to store it on a flash drive" with emphasis added by me. It is not certain that Mounir will implement the bootloader outside the HDD.

Either way, I would like to a means to validate the bootloader on HDD or the removable bootloader against the ISO to ensure the bootloader has not been tampered with by malware or root kits. :)
Dec 7, 2014 at 3:34 PM
I believe you are misunderstanding the word "possibility" in the context it was written in.

I suspect it means "add the possibility" not "possibly add" :)

VeraCrypt already does some file checking as far as I understand.
Dec 7, 2014 at 4:18 PM
I see your point. I believe you are correct in that you will have the option to store/boot the bootloader from a USB drive or the HDD.

I wonder if the file checking you reference is enough to detect the Evil Maid attack.

To be clear about my request, it is to detect and remediate a compromised bootloader no matter its location. :)
Dec 12, 2014 at 10:15 PM
This is an very interesting feature!
It should not be too complex to implement a verification using the ISO or directly a CD/DVD as you proposed although it is the responsibility of the user to check that he is using the right recovery ISO.

Can you please create an entry for this in the issue tracker? I'll modify its type to "Feature". I decided to start using the issue tracker in order to manage all the accepted features.

Dec 12, 2014 at 10:47 PM
Hello Mounir,

Per your request, I have created the issue.

Thank you for considering this feature and your hard work!

Best Regards,
Dec 13, 2014 at 5:32 AM
May 23, 2015 at 6:11 AM
I wish there was a Yubikey with a few bits of lockable ROM... or write-once-read-many rather. You would create your FDE volumes, create the bootloader ISO, flash it to the Yubikey and keep booting off that stick that never leaves your pocket to be tampered with. For security, each time a new ISO is flashed to the keys memory the device blows an efuse. The state / amount of blown fuses is compared and the system could actually raise an alarm if the evil maid snuck in to tamper with the Key...

I wonder if was technically feasible and if they could be bothered to throw some research into this, I am sure there would be a good market for that product...
May 24, 2015 at 9:49 AM
@randomname0815: you seem to be a big fun of Yubikey!

Indeed, using a readonly bootable USB device is a good protection or as you described a mechanism on the USB device to check the state of the embedded data.

Today, you can achieve a similar functionality using the Rescue Disk: you can boot each time on the rescue disk, restore the bootloader and then boot your system. You can also create a bootable USB key using the Rescue Disk but you'll loose the Read-Only feature (here is a thread about this: For maximum security, you can overwrite the VeraCrypt bootloader and the volume header on the disk with random data each time you start your system (bootloader is located on the first 62 sectors and the header is on the 63th secotor that follows it) so that it will be impossible to boot your system without the rescue disk.

As for the boot tampering detection, the current idea is to store the hash of original bootloader on a separate file inside the encrypted system partition, and to offer the possibility to the user to check if the bootloader was tampered with by using this file (can be activated to be done automatically on logon).
Any comments on this approach?