Fedora reexamines "trusted boot" [LWN.net]

By Jake Edge
June 29, 2011

When we looked in on Fedora's decision on enabling "trusted boot" a little over a year ago, the consensus seemed to be that adding a feature that depended on a closed-source binary firmware blob ran counter to the distribution's goals. Since then, that blob is in the process of being added into the BIOS of various systems—though it remains closed—and the "tboot" (trusted boot hypervisor) package has been added to Fedora. Those changes might make it more attractive for Fedora to provide a way for users to enable it at install time. But there is still resistance to adding the feature, and it didn't make the cut for Fedora 16. It seems likely to come up again for Fedora 17 or beyond, so it may well make its way into the distribution sooner or later.

Trusted boot is a way to use the Trusted Platform Module (TPM) hardware that comes in many systems to only boot signed binaries. The fear is that it will enable hardware vendors to lock down their systems—by requiring binaries signed by their keys in order to boot—but it could also be used to protect against various kinds of malware. As with any hardware-based integrity scheme, it all depends on who holds the keys.

Matthew Garrett opened the discussion on fedora-devel, pointing to a proposed feature on the Fedora wiki. That wiki page is fairly thin on details, which is one of the things that sunk the proposal this time, but it essentially proposes changing the anaconda installer to allow users to choose trusted boot and to provide a way to change the GRUB configuration to support it.

One of the first questions was about the benefit of the feature to Fedora. Camilo Mesias asked about the use cases for trusted boot. Daniel Walsh listed a number of possibilities:

The idea is to allow certain tools/machines to make judgments on how "trusted" a machine is. For example you could set up a VPN server that says I will only allow a machine that passes the "Trusted" test to join my network. Another potential example would be to not allow a guest machine to run on your host if its OS is not "Trusted" Or to have a guest OS check to see if the Host Server is Trusted or stop running.

Several of those use cases rely on the "remote attestation" feature of trusted boot, which means that a suitably configured system that has the "proper" keys stored in the TPM can provide a signed cryptographic hash corresponding to the kernel in use. There was some confusion in the thread about what remote attestation means, but, beyond that, there are concerns that it could be used to thwart users installing their own kernel, even on free software OSes. As Gregory Maxwell put it:

If trusted boot in fedora is widely deployed, then $random_things may demand I use a particular fedora kernel in order to access them. Both [handicapping] my personal freedom to tinker with my own computer by imposing new costs on it, and hampering the Fedora project by creating additional friction against upgrades. ("Sorry, I can't upgrade to the new kernel to test that, because then I won't be able to watch netflicks!")

A bigger problem might be that services start requiring some proprietary OS, rather than a particular Fedora kernel. That would, of course, suit the proprietary OS vendors just fine. But that could happen regardless of what Fedora does. If requiring a Fedora kernel is important, services can require that only approved kernels be used and require that users enable and configure trusted boot in order to access them. The more likely outcome under that scenario would leave Fedora (and other Linux distributions) out in the cold, of course.

While the closed-source nature of the SINIT blob (aka SINIT AC), which is the code that does the low-level integrity checking, worries some, Intel is evidently adamant that the code remains closed. From a practical standpoint, having the code wouldn't do much for users, as Miloslav Trmač points out:

The purpose of the blob is to "measure" the system state; only the blob (and hardware reset) is allowed to restart the "measuring" process in the TPM. For this to work securely, the blob must be signed by someone that the TPM itself trusts - otherwise an attacker could replace the blob by something that lies about the system state.

So, from a standpoint of hacking, it doesn't matter - users won't have the practical freedom to modify the blob anyway because they can't sign it.

From a standpoint of learning/sharing/review - I agree having the source code would be very useful.

As was noted in the thread, we are already largely at the mercy of the hardware and BIOS vendors with respect to the code that runs on our systems. ~~The relatively recent System Management Mode (SMM) additions to the BIOS are just one example.~~ As Adam Williamson put it:

Well, the fact that BIOSes aren't open source means that anyway. As far as we the users are concerned, the BIOS is black box code which runs with the ultimate in administrative privileges. It could be doing _anything_ back there. SMM is a fairly standardized example of this, sure, but there's no way we can really be sure our BIOS isn't doing a zillion other 'bad things'.

But, the presence of Intel signing keys stored in the TPM, which is required to verify the SINIT blob, may lead to some worrisome restrictions. Björn Persson points out that there are alternative, free software BIOS implementations (e.g. Coreboot), but that it may be impossible to replace SINIT:

I have never dared to try Coreboot myself, for fear of destroying my motherboard, but in principle it's possible to replace the BIOS in most current computers with a free implementation. It's looking like the TPM makes it impossible to replace Sinit with a free clone.

Aside from the technical issues, and concerns, the actual feature request on the wiki didn't provide a whole lot of information about how the feature would be used, and how it would be integrated into the Fedora install and boot processes. What facilities would be present for remote attestation, how they could be disabled by users, and what happens when a user tries to boot an "untrusted" kernel are all left up in the air in the feature proposal. It also didn't provide much in the way of justification for why trusted boot would be useful to Fedora users. It is clear to some that it could be useful, if users could create and install their own keys, but the wiki page didn't really make that clear. That led to several requests for more information to be added to the feature request.

The Fedora Engineering Steering Committee (FESCo) took up the request at its June 27 meeting. The discussion in the IRC log of the meeting paralleled that of the mailing list to some extent. The FESCo members seemed a bit puzzled by what exactly was being proposed—and why it would be useful. As Kevin Fenzi (aka nirik) said: "I think there's cool things we could use this for, but 'enable it now so we can do ~wave hands~ later' seems non ideal. Why not set it up to do something our users care about and _then_ enable it."

There was also some discussion of which pieces of Fedora needed changing (anaconda and grubby being two obvious places that might require modification). But the overall sense was that there just wasn't enough meat in the proposal to add it as a Fedora feature. Fenzi is optimistic that it could be done right for Fedora users, but it needs to be fleshed out more:

Setup ways to check the fedora provided kernels. Offer users a way to not boot on problems. Offer users a way to let them attest or decline to attest that it was a valid boot. Allow users to load their policy or change it. etc, the control should be in the users hands, and if this is a feature we should be providing the users those tools.

So FESCo decided to decline the feature for Fedora 16, but agreed that interested parties should continue working on it for possible inclusion down the road. Any work that is done in anaconda, grubby, or elsewhere will have to be negotiated between the trusted boot proponents and the other projects, as there is no FESCo mandate for the feature. It would not be surprising to see this feature come up again in six months or a year.

The TPM and "trusted computing" (aka "treacherous computing") evoke strong reactions. While it is clear that they can be used in ways that essentially lock users out of their own hardware, they could also be used in ways that allow users to ensure the integrity of the code running on those same systems. Like many technologies, trusted boot can be used for good or ill.

If Fedora can provide ways for its users to take advantage of this technology, without being taken advantage of, it will definitely be something that some security-conscious users will benefit from. Intel's secrecy with regard to the SINIT blob is somewhat troubling, but doesn't change the closed-source BIOS problem all that much really. A bigger problem for Fedora down the road may be trying to support users who enable the feature but run into problems getting their Fedora (or custom-built) kernels to boot. But, that's a problem for another day.

(Log in to post comments)

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 14:33 UTC (Thu) by gmaxwell (subscriber, #30048) [Link]

I thought I was clear enough that my concern was mostly related to the default install.

If it's something someone has to go through an effort to activate it won't be imposed casually by third parties.

Though you seem to be suggesting that it's a useful system security feature. It is not. If your system is compromiseable without trusted boot it will be just as vulnerable with it.

Iff linux and much of the userspace were redesigned you _might_ be able to use it to detect rootkits, but even then its unlikely to help... Attackers already aren't rebooting your systems into new kernels for rootkit purposes: They usually use intentionally exposed features (or bugs) to add code to the kernel without rebooting. ... so TPM would attest to you that it booted your trusted kernel but it wouldn't matter.

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 16:46 UTC (Thu) by alonz (subscriber, #815) [Link]

You're touching on the most important point here:

trusted boot is not really about security anymore.

Trusted boot has been proven totally ineffective as a security measure, time and time again. It only remaining business case is to enforce lock-in. But many people still believe the old hype about trusted boot as “the security technology that will rid us of those pesky rootkits”, and serve as unknowing shills for the commercial interests behind the technology.

Even the name of the technology hints at its shortcomings: trusted—by whom? boot—not a trusted system, but only the boot process is trusted.

(Full disclosure: I design security products, and my company even sells “trusted boot” solutions.)

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 14:32 UTC (Fri) by geofft (subscriber, #59789) [Link]

I'd like to know more about why you say it's ineffective as a security measure?

I'm thinking (only thinking, no real plans) about deploying it in a large academic environment, where we're able to take kernel updates all the time and in fact have auto-updates, and the local machines are also stateless so we can reinstall them at any time. Trusted boot would let us know whether or not the system was booted normally or e.g. from a CD or in single-user mode, and whether the disk had been tampered with since last time it was trusted-booted. We're fine assuming that we take updates often enough to avoid rootkits (and in fact we have no network login on these machines), and that in case we suspect something we just want to trigger a remote reinstall.

Will trusted boot and remote attestation not work here?

Note that we have no desire to prevent people from rebooting terminals into a live CD. We just want them not to mess with the hard disk when doing so, and we want to know if they _left_ it booted into a live CD.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 15:01 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

There have been various flaws in Intel chipsets that allow attacks, the most entertaining being an exploit in the BIOS flasher code that would allow you to flash unsigned BIOS images and replace the sinit. I don't believe there are any <em>known</em> flaws in current systems, but http://theinvisiblethings.blogspot.com/search/label/trust... discusses some of the ones that have been found.

So I don't think there's any direct evidence that it's ineffective, merely that history suggests that anything that's never been seriously attacked and which has a track record of holes tends to have more holes that haven't been found yet...

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 12:04 UTC (Sun) by alonz (subscriber, #815) [Link]

OK, I'll qualify my statements above a bit:
Trusted Boot has been shown to be ineffective as a general security measure for open environments.

If your system is managed centrally, and does not permit execution of locally-introduced code, you're likely OK. Also, if the only purpose of your trusted boot solution is access control to centrally-managed systems, your risk is at least controllable.

The issue with trusted boot is that it's often presented as a “magic bullet”—e.g., claiming that trusted boot (from a local disk!) is an effective countermeasure against rootkits.

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 10:57 UTC (Sun) by brendan_wright (subscriber, #7376) [Link]

> Trusted boot has been proven totally ineffective as a security measure, time and time again.

So are you saying that most systems that have fully deployed trusted boot have been and/or can be made to incorrectly attest themselves as secure when they were actually booting compromised code? If so I'm interested to know how, when and why.

If not, in what way has it failed? I get the impression it's seldom fully implemented outside of DoD & Chrome OS and maybe a few others...

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 10:45 UTC (Sun) by brendan_wright (subscriber, #7376) [Link]

> Though you seem to be suggesting that it's a useful system security feature. It is not. If your system is compromiseable without trusted boot it will be just as vulnerable with it.

It may not prevent compromise but the idea is it can reveal it through remote attestation - see: http://lwn.net/Articles/137306/

A successful compromise might still be a denial-of-service attack, but by immediately taking the compromised system offline you can have confidence that your computers aren't really "owned" by a bunch of hackers.

> Iff linux and much of the userspace were redesigned you _might_ be able to use it to detect rootkits, but even then its unlikely to help... Attackers already aren't rebooting your systems into new kernels for rootkit purposes: They usually use intentionally exposed features (or bugs) to add code to the kernel without rebooting. ... so TPM would attest to you that it booted your trusted kernel but it wouldn't matter.

The idea is that the signing process continues after boot and no code is run without first being checked. If you can extend that to all code in the system (which I agree is a lot of work) then you can detect code changes after boot. Presumably NX bits help here too.

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 12:13 UTC (Sun) by alonz (subscriber, #815) [Link]

I'm afraid I have to disagree with you, at least partially…

For example, you write
> It may not prevent compromise but the idea is it can reveal it through remote attestation
Here you are assuming that the main purpose of the system is access to some (single!) remote service, which can perform the attestation often enough to matter. But this isn't the case for most modern uses, especially when even “connected” devices often use cellular (= intermittent) connections.

Likewise,
> The idea is that the signing process continues after boot and no code is run without first being checked
This assumes a completely closed software ecosystem—which, again, is far from the normal case in almost all modern use-cases.

The concepts of “trusted boot” looked OK on paper, in the context of early security research (which dealt with monolithic managed systems, when software distributions were small and organizations were large). But they don't fit most modern use cases.

Fedora reexamines "trusted boot"

Posted Jul 4, 2011 2:31 UTC (Mon) by brendan_wright (subscriber, #7376) [Link]

> Here you are assuming that the main purpose of the system is access to some (single!) remote service, which can perform the attestation often enough to matter. But this isn't the case for most modern uses, especially when even connected devices often use cellular (= intermittent) connections.

If a firewall is setup to check the security of severs or desktops siting behind it, it can take them offline as soon as they fail a trust check. A mobile device like an Android integrates with online systems such as the update system that could in theory perform such checks for you (alerting your by email perhaps). A lot is possible if the software can be sorted properly...

> > The idea is that the signing process continues after boot and no code is run without first being checked

> This assumes a completely closed software ecosystemwhich, again, is far from the normal case in almost all modern use-cases.

Really? Don't many distros and Anrdoid already only download correctly signed code updates by default? Linux is already much more "closed" or at least "centralized" in one sense than Windows in that most software is installed via apt-get or whatever.

It's not hard to imagine extending this framework to include the TPM, so that your system can attest it is running the code as provided by the update servers, not some code compromised in transit or after it was installed on your machine.

Fedora reexamines "trusted boot"

Posted Jul 4, 2011 8:57 UTC (Mon) by etienne (subscriber, #25256) [Link]

> The idea is that the signing process continues after boot and no code is run without first being checked.

How do you check system-wide libraries? They can be loaded at different time and so different addresses on two successive boots (depending on timing issues or randomized loaded), and they are lasy loaded (http://en.wikipedia.org/wiki/Lazy_loading) so they are constantly being modified - if those memory pages are loaded in memory at all.

Fedora reexamines "trusted boot"

Posted Jul 4, 2011 23:12 UTC (Mon) by brendan_wright (subscriber, #7376) [Link]

> How do you check system-wide libraries?

You check the library loading code, and then the library code that is about to be loaded & relocated - if they haven't changed then the output can't have changed (except for addresses), so if they are "secure" then so should the output be.

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 16:33 UTC (Thu) by cesarb (subscriber, #6266) [Link]

> I'm always suprised at the negative reactions Trusted Computing gets. It's an optional feature! If you don't like it, don't turn it on!

If "Trusted Computing" gets traction, how long before it is no longer optional?

How long before you need it enabled to watch movies on your computer?

How long before you need it enabled to visit some websites?

How long before you need it enabled to read documents people send to you?

How long before you need it enabled to connect to the Internet at all?

Finally, how long before you no longer have a choice, and only "trusted" operating systems are allowed to run?

That is why "Trusted Computing" causes strong negative reactions. The potential for its abuse is tremendous.

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 23:32 UTC (Thu) by smoogen (subscriber, #97) [Link]

I would say about 10 years from now.

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 11:14 UTC (Sun) by brendan_wright (subscriber, #7376) [Link]

> If "Trusted Computing" gets traction, how long before it is no longer optional? How long before you need it enabled to watch movies on your computer?

It can attest to changes in the code run on the device, potentially preventing "secret" modification to that code.

But devices with practically unmodifiable boot code (at least for the average Joe) have been sold for decades (and I still had a lot of fun with our C64). And it didn't mean that customizable & modifiable systems became a thing of the past. There will no doubt always be a market for them, so someone will always make them.

But what about the potential for trusted computing to reduce the amount of loss of private data that goes on? Where's the knee-jerk reaction from the masses demanding that organisations that store our private data can remotely attest to their system's security?

How many innocent Grandmas are really happy about the fact that their PC is actually controlled by a Russian crime syndicate and that all their "personal" data actually isn't?

Like most technology it can be used for both "good" and (for those that expect to be able to modify their systems without telling others) "evil" (in that it can prevent that).

Generally with such technology, although their may be some hiccups along the way, common sense generally prevails in the end. I like Google's use of "optional" trusted computing on Chrome OS - to me the it's the best of both worlds.

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 18:37 UTC (Sun) by nix (subscriber, #2304) [Link]

The C64 was still fun despite its ROMs because you could tell them to get entirely out of the way, and they did. Modern OSes don't do that sort of thing.

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 23:15 UTC (Thu) by paravoid (subscriber, #32869) [Link]

Have a look at Google's Chrome OS laptop that employs trusted boot.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 9:09 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, knee-jerk reactions to TPM are just embarrassing.

First, it's already very much possible to lock down the boot sequence. Just look at all these Motorolla phones with locked bootloaders. It's even possible to do it on x86-based CPUs.

Second, TPM does provide security benefits. For example, I can use it to store keys for full-disk encryption and keys will be released only if boot loader is secure. Argument that viruses are going to use exploitable bugs anyway can just as well be used against EVERYTHING, including Unix access rights and SELinux/AppArmor.

Third, bootloader attacks are very much real. There are worms out there that actively use bootkits.

Fourth, there are good uses even for remote attestation.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 9:40 UTC (Fri) by nix (subscriber, #2304) [Link]

For example, I can use it to store keys for full-disk encryption and keys will be released only if boot loader is secure.

Yeah, that's great. Now attackers can't pull the disks and put them in something else. Of course, this is really very unlikely. Much more likely is that the machine will eventually fail (as they always do) and then you can't put the disks in something else, and you'll be cursing that you ever went near the TPM in the first place.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 9:44 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Again, a knee-jerk reaction.

Since it's _me_ who control the disk encryption keys, I can just print them out (put on a thumb drive, etc) and store in my safe deposit box for this occasion.

No-one says that TPM should hold the only copy of encryption keys.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 13:38 UTC (Fri) by nix (subscriber, #2304) [Link]

I thought the whole point of the TPM was that it held the only copy?

I suppose you could take the keys before feeding them into the TPM and preserve those, but it's amazing how none of the use cases anyone mentions for the TPM ever describe that.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 13:50 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

You're confusing two issues.

It's certainly possible to use TPM to secure user-provided keys (which is what Windows uses for its BitLocker software, btw). In this mode TPM stores your symmetric encryption keys and only releases them if your boot chain is secure.

It's also possible to use TPM to generate an RSA keypair. In this mode TPM securely stores private key of the generated keypair. It's not possible to extract generated private key, so this mode can be used for remote attestation or for secure signatures.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 14:16 UTC (Fri) by nix (subscriber, #2304) [Link]

Right. So the former mode is fine -- but as far as I can see doesn't really need more hardware support than a bit of NVRAM. The latter mode, which actually requires crypto and so on, is as far as I can see evil, because it locks keys up in opaque and failure-prone hardware, thus effectively doing a delayed deletion on any data secured by it and a delayed DoS on any access granted by it (because hardware always fails in the end).

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 15:18 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Uhm. Private key mode is not (generally) used to encrypt data, so no worries about data loss.

It's used to make your machine 'uncloneable' and prove it to a remote party. It can be used for DRM (so you can view content only from uncloneable authorized devices) or to make sure that if your server is stolen you can make it unusable for the thief. We actually used TPM for this exact purpose - to make servers with medical data secure against physical theft.

Fedora reexamines "trusted boot"

Posted Jul 2, 2011 10:52 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

BTW, 'a bit of NVRAM' won't work to store encryption keys. Because an attacker can just boot a LiveCD/LiveUSB and read all your keys from NVRAM.

That's where the measurement part of TPM comes handy - TPM won't release keys unless your system is secure.

Fedora reexamines "trusted boot"

Posted Jul 7, 2011 17:34 UTC (Thu) by farnz (guest, #17727) [Link]

I've used the unknown private key mode - the point is to provide me with a way to confirm, beyond all doubt, that the accesses I'm seeing are coming from my trusted hardware, running my trusted OS. Change the OS, or change the hardware, and you need reauthorising with a new key to get on the network; similarly, you can use the hidden private key for encryption of your disk's AES key, which is also stored offline somewhere physically secure. You can thus get the key out again when the TPM fails (and recover your data), it's just hassle typing it in from your laminated printouts. In the meantime, the TPM lets you forget that there is such a key - the hardware knows what it is and ensures you always run a known-good OS.

The evil in TPM is nothing to do with the technical capabilities of the chip - they're fairly innocuous, if tricky to use well; the danger is when the TPM chip is used to store a private key that the user did not ask it to generate; in this situation, the holder of the public key has a path all the way to the machine that bypasses the user's wishes. If the user generates the key and hands the "public" section to the third party, all is well - nothing stops the user lying to the third party and giving them a public key not generated by a TPM.

Fedora reexamines "trusted boot"

Posted Jul 8, 2011 12:44 UTC (Fri) by nix (subscriber, #2304) [Link]

Ah, right. That makes things much clearer.