lf-/gist:b53751075477981e22b65a912cdcc33a

## gistfile1.txt
Boot process:
1. EFI runs unencrypted EFI application
2. EFI application gets password, decrypts and runs initrd
3. initrd gets root password, decrypts root

Attack:
Stage 1:
1. EFI runs attacker-controlled EFI application
2. EFI application pretends to be original EFI application, gets password
3. EFI application decrypts initrd, doesn't run it, exfiltrates it along with password

Stage 2 prep:
1. Attacker inserts backdoor into now-decrypted initrd, disables all canaries and such
2. Attacker replaces your initrd

Stage 2:
1. EFI runs normal EFI application
2. EFI application asks for password
3. EFI application decrypts *attacker-controlled* initrd
4. EFI application runs *attacker-controlled* initrd
5. Attacker-controlled initrd prompts for password
6. Attacker-controlled initrd decrypts, runs root, being sure to insert a backdoor
7. You're pwned
	Boot process:
	1. EFI runs unencrypted EFI application
	2. EFI application gets password, decrypts and runs initrd
	3. initrd gets root password, decrypts root

	Attack:
	Stage 1:
	1. EFI runs attacker-controlled EFI application
	2. EFI application pretends to be original EFI application, gets password
	3. EFI application decrypts initrd, doesn't run it, exfiltrates it along with password

	Stage 2 prep:
	1. Attacker inserts backdoor into now-decrypted initrd, disables all canaries and such
	2. Attacker replaces your initrd

	Stage 2:
	1. EFI runs normal EFI application
	2. EFI application asks for password
	3. EFI application decrypts attacker-controlled initrd
	4. EFI application runs attacker-controlled initrd
	5. Attacker-controlled initrd prompts for password
	6. Attacker-controlled initrd decrypts, runs root, being sure to insert a backdoor
	7. You're pwned