LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora reexamines "trusted boot"

Fedora reexamines "trusted boot"

Posted Jun 30, 2011 16:46 UTC (Thu) by alonz (subscriber, #815)
In reply to: Fedora reexamines "trusted boot" by gmaxwell
Parent article: Fedora reexamines "trusted boot"

You're touching on the most important point here:

trusted boot is not really about security anymore.

Trusted boot has been proven totally ineffective as a security measure, time and time again. It only remaining business case is to enforce lock-in. But many people still believe the old hype about trusted boot as “the security technology that will rid us of those pesky rootkits”, and serve as unknowing shills for the commercial interests behind the technology.

Even the name of the technology hints at its shortcomings: trusted—by whom? boot—not a trusted system, but only the boot process is trusted.

(Full disclosure: I design security products, and my company even sells “trusted boot” solutions.)

(Log in to post comments)

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 14:32 UTC (Fri) by geofft (subscriber, #59789) [Link]

I'd like to know more about why you say it's ineffective as a security measure?

I'm thinking (only thinking, no real plans) about deploying it in a large academic environment, where we're able to take kernel updates all the time and in fact have auto-updates, and the local machines are also stateless so we can reinstall them at any time. Trusted boot would let us know whether or not the system was booted normally or e.g. from a CD or in single-user mode, and whether the disk had been tampered with since last time it was trusted-booted. We're fine assuming that we take updates often enough to avoid rootkits (and in fact we have no network login on these machines), and that in case we suspect something we just want to trigger a remote reinstall.

Will trusted boot and remote attestation not work here?

Note that we have no desire to prevent people from rebooting terminals into a live CD. We just want them not to mess with the hard disk when doing so, and we want to know if they _left_ it booted into a live CD.

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 15:01 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

There have been various flaws in Intel chipsets that allow attacks, the most entertaining being an exploit in the BIOS flasher code that would allow you to flash unsigned BIOS images and replace the sinit. I don't believe there are any <em>known</em> flaws in current systems, but http://theinvisiblethings.blogspot.com/search/label/trust... discusses some of the ones that have been found.

So I don't think there's any direct evidence that it's ineffective, merely that history suggests that anything that's never been seriously attacked and which has a track record of holes tends to have more holes that haven't been found yet...

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 12:04 UTC (Sun) by alonz (subscriber, #815) [Link]

OK, I'll qualify my statements above a bit:
Trusted Boot has been shown to be ineffective as a general security measure for open environments.

If your system is managed centrally, and does not permit execution of locally-introduced code, you're likely OK. Also, if the only purpose of your trusted boot solution is access control to centrally-managed systems, your risk is at least controllable.

The issue with trusted boot is that it's often presented as a “magic bullet”—e.g., claiming that trusted boot (from a local disk!) is an effective countermeasure against rootkits.

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 10:57 UTC (Sun) by brendan_wright (subscriber, #7376) [Link]

> Trusted boot has been proven totally ineffective as a security measure, time and time again.

So are you saying that most systems that have fully deployed trusted boot have been and/or can be made to incorrectly attest themselves as secure when they were actually booting compromised code? If so I'm interested to know how, when and why.

If not, in what way has it failed? I get the impression it's seldom fully implemented outside of DoD & Chrome OS and maybe a few others...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds