LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

LSS: Secure Boot

By Jake Edge
September 12, 2012
2012 Kernel Summit

Matthew Garrett gave the opening keynote at the 2012 Linux Security Summit on his new "favorite" topic: UEFI Secure Boot. Up until about a year ago, he was working on power management for the Linux kernel, but at LinuxCon in Vancouver he found out about the requirement that systems shipping with the Windows 8 logo would be required to have Secure Boot enabled. He "ended up drinking quite a lot that week", he said, but things are not quite as bad as he had thought at first. Contrary to his initial fears, users will be able to boot Linux on hardware certified for Windows 8.

UEFI Overview

Garrett began with an overview of UEFI, noting that it is a replacement for the legacy PC BIOS. Its role is to initialize the hardware and to provide services to the bootloader for tasks like discovering hardware. It is the "least relevant 16MB of code you will ever encounter", he said. The code is mostly open and available from Intel under a BSD license. There is also some proprietary, machine-specific code to program memory controllers. The firmware vendors add their own code for "3D UIs"; those vendors also "add bugs of course". There is a surprisingly good compatibility suite and there are regular plugfests to ensure that the UEFI implementations can boot a variety of operating systems.

There are some relevant differences between UEFI and BIOS. To start with, UEFI firmware can read filesystems. The standard only requires VFAT support—and Microsoft grants a patent license for UEFI implementations. The bootloader is now an executable in PE/COFF format like Windows binaries. There is also non-volatile flash storage available where things like the location of the bootloader and parameters to pass to it can be stored.

When a computer is turned on, the firmware runs first, followed by a bootloader, which loads the operating system (OS). Traditionally, malware has targeted the OS, but vendors, particularly Microsoft, have gotten very aggressive at cutting down the OS as a target. Windows 8, for example, will load a virus checker very early on, before even some of the drivers are loaded, Garrett said.

Given that, we are seeing malware move away from the OS. Instead of "rootkits" we are starting to see "bootkits". For BIOS-based systems, the easiest way to install boot-time malware is to replace the master boot record (MBR). Once that's done, the bootloader can no longer be trusted (as the MBR will point to a malicious version), and the bootloader can change the OS when it loads it. The malware can then intercept attempts to verify the MBR by returning a "clean" copy, making it difficult to detect the compromise.

The key thing to note, Garrett said, is that if you are running untrusted code at any level, you can't trust the code at a higher level. UEFI Secure Boot is an attempt to fix the problem of bootkits. A header section is added to bootloaders (or other binaries) to contain signed hashes of the contents. The firmware will only launch binaries with a valid hash signed by a trusted key. It uses the same cryptographic algorithms that are used by Secure Sockets Layer (SSL), so there is no reason to believe that Secure Boot is insecure, other than the fact that it will be implemented by firmware vendors, he said.

Key management

For managing the keys, there are four databases in the firmware's flash. With UEFI, it will no longer be possible to write to that flash directly, instructions from x86 system management mode (SMM) will need to be used instead. The first database, "dbx", will contain keys and hashes that will always be rejected by the firmware. If a binary's hash is in dbx or if the key used to sign that hash is present, the firmware will not run it.

The "db" database contains keys and hashes that will be accepted, but entries in dbx override those in db. After the October launch of Windows 8, standard systems will contain the manufacturer's key and Microsoft's key in db. Vendors will want to enable Secure Boot so that they can access marketing money from Microsoft for promoting the hardware as "Windows 8 compatible". The margins on a laptop are "pennies", Garrett said, so the marketing money makes a big difference.

Being able to blacklist keys is an important part of the design of Secure Boot. Keys that have been used to sign malware or to sign other, non-malicious software that can be exploited can be disabled.

The other two databases are the "kek" (key exchange key), which stores keys that can be used to sign updates to db or dbx, and the "pk" (platform key) which can sign kek updates. Installing a pk causes the transition from "setup mode" to Secure Boot mode. Normally, the pk will be a hardware vendor key, which will be used to sign the update to the kek, which is where the Microsoft key will reside. This protects the vendor from Microsoft losing control of its key, because they could (in some unspecified way) have their customers update the kek using their key. If the private half of the key in the pk leaks, Secure Boot is no longer secure on those systems.

The UEFI specification defines the technical details of Secure Boot, but does not specify any particular policy with regard to how it is used. But Microsoft has specified policies for systems that want to get Windows 8 certification. For those, Secure Boot must be enabled by default, and the Microsoft key must be present. In January, Microsoft added the requirement that a physically present user must be able to disable Secure Boot and install their own keys—but only for x86-based systems, not those that are ARM-based.

An audience member asked if there was "any hope" of that requirement changing for ARM. Right now, Garrett said, ARM systems with Windows 8 certification must not allow disabling Secure Boot or adding user-specified keys. Whether ARM-based system vendors will actually pursue that certification is an open question since the Windows on ARM market "doesn't exist" at this point.

Linux on Secure Boot

To boot Linux on a Secure Boot system, there needs to be a signed bootloader. "Distasteful though it might be", the only sensible way to do that is to get Microsoft to sign it. One can set up an account with Verisign, pay some money, and get access to the Microsoft signing system. From there, you upload a binary, and a get a signed object back a day later. Because of the way headers are added with the signatures, you can still verify that it is your binary, rather than something that has been modified by Microsoft.

Once that signed bootloader has been run, it could do anything. But there are or could be consequences if it does. The signed bootloader stops malware from being inserted between the firmware and the bootloader. But, there is no way for code to determine if it is really running in Secure Boot mode. That is one difference between Secure Boot and Trusted Boot; the latter adds attestations that can prove the running code is what it says it is. In Secure Boot, one can ask the firmware if it is enabled, but there is no way to trust the answer unless the code at each level can be trusted.

In order to be able to extend trust to the higher-levels, those pieces (e.g. kernel, drivers) must be signed as well. But there is more to it than that, whatever signed kernel that runs must not be usable to run unsigned privileged code.

One of the problem areas is kexec(), which allows replacing a running kernel with a new kernel. It is like booting the new kernel, but without going through the hardware initialization (thus Secure Boot) step. But, kexec() could be used to boot Windows instead, which would allow an attacker to create a malicious Windows that boots on Secure Boot hardware. It would use the signed Linux bootloader and kernel, but kexec() into the mal-Windows. If that were to happen, Garrett said, Microsoft would blacklist the bootloader. "Apparently, our management was not enthusiastic" about that possibility, he said.

So, signed kernels require some changes to support Secure Boot. That means doing things like disallowing kexec() and restricting the ability of user space programs to cause hardware devices to perform direct memory access (DMA). The latter mostly affects graphics hardware that does not have support for kernel mode setting (KMS).

In the past, there was this idea of a separation between regular users and root. The idea was to prevent people from elevating their privileges to those of the root user, and protecting the kernel from root was not particularly important. That is no longer the case in the Secure Boot world. Root is no longer trusted, only the physically present user, who may not be the same as root, is trusted.

There are other things that will need to be handled to avoid signed kernels from "attacking" Windows. Garrett said that Kees Cook mentioned hibernation images recently as a vector for attack. When a user resumes from a suspend-to-disk, memory contents are read from disk. A crafted hibernation image could subvert the protections, so unless some other solution is found, hibernation will need to be disabled. That's fine, "because it doesn't really work in Linux anyway", he said.

Plan of attack

The plan is to create a trusted first-stage "shim" bootloader that will be signed with the Microsoft key. Because free software tends to change frequently, and it is desirable to avoid getting things signed all the time, having the shim, which should change infrequently, makes sense. The full bootloader is then signed with a distribution-specific key. Kernels and modules would also be signed with that key, or with a key already in the firmware key databases. If a user wants to sign their own kernels or modules, they can put their own key in the firmware.

Instead of adding keys to the four databases established by UEFI, SUSE came up with a way to add keys from the bootloader (which cannot access the key databases) to a secure location in the firmware. There are UEFI boot services variables that are only available to the boot environment. Using those to store keys will allow the bootloader to update them, when prompted by physically present users. Doing so from the bootloader avoids the problem of having to try to figure out and document how to add keys using the vendor-specific UEFI firmware set up tools. So far, that code does not exist, but SUSE is working on it, he said.

The management of thousands of systems requiring physically present users is "not a solved problem", he said in response to a question. There is the belief that those who are buying many systems will be able to convince vendors to ship their hardware in setup mode (with no keys) or to put custom keys into the firmware.

There are still some outstanding questions, including how to handle third-party module signing (e.g. for NVIDIA drivers). There could be some kind of Linux certificate authority (CA), but no one has stepped up to run such a thing. It would cost "at least millions" to set up and run, plus probably more than a year to get going, so "no one is jumping up and down to do this", he said. There is the possibility that third parties could have their modules signed by Microsoft or there could be some way to have the bootloader prompt for the installation of third party keys. Red Hat and other vendors are not inclined to sign third-party modules because of licensing issues and that it could be seen as an endorsement of binary-only modules.

Early on in the process of sorting out Secure Boot issues, there was concern that GPLv3 (which is the license for the GRUB2 bootloader) would require the signing keys to be disclosed. Garrett said that he and others had worked with the FSF on that problem. The conclusion that was reached is that the signing keys are not required to be disclosed as long as users can install their own keys, which they will be able to do.

In the final analysis, Secure Boot is "much less bad than it could be", Garrett said. It will increase the security of Linux "somewhat", but is mostly for increasing the security of Windows. As long as we are careful not to get our keys blacklisted (by allowing signed kernels to attack Windows), it won't seriously impede Linux in the future.

Comments (92 posted)

Brief items

Security quotes of the week

"Never again." It is as simplistic as it is absurd. It is as vague as it is damaging. No two words have provided so little meaning or context; no catchphrase has so warped policy discussions that it has permanently confused the public's understanding of homeland security. It convinced us that invulnerability was a possibility.

The notion that policies should focus almost exclusively on preventing the next attack has also masked an ideological battle within homeland-security policy circles between "never again" and its antithesis, commonly referred to as "shit happens" but in polite company known as "resiliency." The debate isn't often discussed this way, and not simply because of the bad language. Time has not only eased the pain of that day, but there have also been no significant attacks. "Never again" has so infiltrated public discourse that to even acknowledge a trend away from prevention is considered risky, un-American. Americans don't do "Keep Calm and Carry On." But if they really want security, the kind of security that is sustainable and realistic, then they are going to have to.

-- Juliette Kayyem

The Sept. 11 memorial’s designers hoped the plaza would be “a living part” of the city—integrated into its fabric and usable “on a daily basis.” I thought that sounded nice, so I asked [Bruce] Schneier one last question. Let’s say we dismantled all the security and let the Sept. 11 memorial be a memorial like any other: a place where citizens and travelers could visit spontaneously, on their own contemplative terms, day or night, subject only to capacity limits until the site is complete. What single measure would most guarantee their safety? I was thinking about cameras and a high-tech control center, “flower pot”-style vehicle barriers, maybe even snipers poised on nearby roofs. Schneier’s answer? Seat belts. On the drive to New York, or in your taxi downtown, buckle up, he warned. It’s dangerous out there.
-- Mark Vanhoenacker

The combination of expansive content rights with automated content analysis systems -- unable to really deal appropriately with public domain materials and fair use -- has created a tightening noose that could ultimately squeeze much of the life out of ordinary user-created video content. Even if we stipulate that the current apparent skewing of these systems toward the powerful content giants is the result of practical and technical considerations, rather than any particular policy imperatives, such a viewpoint doesn't help us escape from this rapidly coagulating, stultifying dilemma.
-- Lauren Weinstein

Comments (8 posted)

Tinnes: Introducing Chrome's next-generation Linux sandbox

Julien Tinnes describes the new sandbox mechanism for the Chrome browser under Linux. "In a similar, but very limited, fashion, this is what we have now in Chrome: we stacked the seccomp-bpf sandbox on top of the setuid sandbox. The setuid sandbox gives a few easy to understand semantic properties: no file system access, no process access outside of the sandbox, no network access. It makes it much easier to layer a seccomp-bpf sandbox on top."

Comments (5 posted)

New vulnerabilities

beaker: information disclosure

Package(s):beaker CVE #(s):CVE-2012-3458
Created:September 10, 2012 Updated:September 12, 2012
Description: From the Debian advisory:

It was discovered that Beaker, a cache and session library for Python, when using the python-crypto backend, is vulnerable to information disclosure due to a cryptographic weakness related to the use of the AES cipher in ECB mode.

Systems that have the python-pycryptopp package should not be vulnerable, as this backend is preferred over python-crypto.

Alerts:
Debian DSA-2541-1 2012-09-07

Comments (none posted)

dnsmasq: DNS proxy is wrongly created

Package(s):dnsmasq CVE #(s):CVE-2012-3411
Created:September 12, 2012 Updated:March 11, 2013
Description: David Woodhouse reports:

It seems that your dnsmasq instance is listening on that address, but *not* correctly discarding packets which come from a different interface. Even though the --bind-interface option is set. See the Red Hat bugzilla for more information.

Alerts:
Fedora FEDORA-2012-12598 2012-09-12
Mageia MGASA-2012-0273 2012-09-18
Fedora FEDORA-2012-20531 2013-01-03
Red Hat RHSA-2013:0276-02 2013-02-21
Red Hat RHSA-2013:0277-02 2013-02-21
Oracle ELSA-2013-0277 2013-02-25
Oracle ELSA-2013-0276 2013-02-28
Scientific Linux SL-dnsm-20130228 2013-02-28
Scientific Linux SL-libv-20130228 2013-02-28
CentOS CESA-2013:0277 2013-03-09
CentOS CESA-2013:0276 2013-03-09
Mandriva MDVSA-2013:072 2013-04-08

Comments (none posted)

freeradius: code execution

Package(s):freeradius CVE #(s):CVE-2012-3547
Created:September 12, 2012 Updated:January 14, 2013
Description: From the Debian advisory:

Timo Warns discovered that the EAP-TLS handling of freeradius, a high-performance and highly configurable RADIUS server, is not properly performing length checks on user-supplied input before copying to a local stack buffer. As a result, an unauthenticated attacker can exploit this flaw to crash the daemon or execute arbitrary code via crafted certificates.

Alerts:
Debian DSA-2546-1 2012-09-11
openSUSE openSUSE-SU-2012:1200-1 2012-09-18
Ubuntu USN-1585-1 2012-09-26
Red Hat RHSA-2012:1326-01 2012-10-02
Red Hat RHSA-2012:1327-01 2012-10-02
Scientific Linux SL-free-20121003 2012-10-03
Oracle ELSA-2012-1326 2012-10-02
CentOS CESA-2012:1327 2012-10-03
CentOS CESA-2012:1326 2012-10-03
Mandriva MDVSA-2012:159 2012-10-03
Scientific Linux SL-free-20121003 2012-10-03
Oracle ELSA-2012-1327 2012-10-03
Fedora FEDORA-2012-15743 2012-10-18
Fedora FEDORA-2012-15397 2012-10-23
Mageia MGASA-2012-0304 2012-10-29
Oracle ELSA-2013-0134 2013-01-12
Mandriva MDVSA-2013:038 2013-04-05

Comments (none posted)

ghostscript: code execution

Package(s):ghostscript CVE #(s):CVE-2012-4405
Created:September 12, 2012 Updated:April 10, 2013
Description: From the Red Hat advisory:

An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript.

Alerts:
Red Hat RHSA-2012:1256-01 2012-09-11
CentOS CESA-2012:1256 2012-09-11
CentOS CESA-2012:1256 2012-09-11
Scientific Linux SL-ghos-20120911 2012-09-11
Oracle ELSA-2012-1256 2012-09-11
Oracle ELSA-2012-1256 2012-09-11
Mandriva MDVSA-2012:151 2012-09-12
SUSE SUSE-SU-2012:1222-1 2012-09-19
Ubuntu USN-1581-1 2012-09-24
Fedora FEDORA-2012-13846 2012-09-28
Fedora FEDORA-2012-13839 2012-09-28
openSUSE openSUSE-SU-2012:1289-1 2012-10-04
openSUSE openSUSE-SU-2012:1290-1 2012-10-04
Mandriva MDVSA-2012:151-1 2012-10-05
Mageia MGASA-2012-0301 2012-10-20
Debian DSA-2595-1 2012-12-30
Mandriva MDVSA-2013:089 2013-04-09
Mandriva MDVSA-2013:090 2013-04-09

Comments (none posted)

GraphicsMagick: denial of service

Package(s):GraphicsMagick CVE #(s):CVE-2012-3438
Created:September 7, 2012 Updated:March 26, 2013
Description:

From the Red Hat advisory:

"As this function stands, it invisibly does the wrong thing for any request over 4GB. On big-endian architectures it very possibly will do the wrong thing even for requests less than that. So the reason why the hard-wired 4GB limit prevents a core dump is that it masks the ABI mismatch here."

So basically we have memory allocations problems that can probably lead to a denial of service.

Alerts:
Fedora FEDORA-2012-12366 2012-09-07
Fedora FEDORA-2012-12352 2012-09-07
Mageia MGASA-2012-0267 2012-09-13
Mandriva MDVSA-2012:165 2012-10-12
openSUSE openSUSE-SU-2013:0536-1 2013-03-26

Comments (none posted)

mahara: cross-site scripting

Package(s):mahara CVE #(s):CVE-2012-2237
Created:September 10, 2012 Updated:September 12, 2012
Description: From the Debian advisory:

Emanuel Bronshtein discovered that Mahara, an electronic portfolio, weblog, and resume builder, contains multiple cross-site scripting vulnerabilities due to missing sanitization and insufficient encoding of user-supplied data.

Alerts:
Debian DSA-2540-1 2012-09-07

Comments (none posted)

pnp4nagios: information disclosure

Package(s):pnp4nagios CVE #(s):CVE-2012-3457
Created:September 12, 2012 Updated:September 12, 2012
Description: From the CVE entry:

PNP4Nagios 0.6 through 0.6.16 uses world-readable permissions for process_perfdata.cfg, which allows local users to obtain the Gearman shared secret by reading the file.

Alerts:
Fedora FEDORA-2012-13244 2012-09-12

Comments (none posted)

rpmdevtools: symlink attack

Package(s):rpmdevtools CVE #(s):CVE-2012-3500
Created:September 12, 2012 Updated:April 10, 2013
Description: From the Red Hat bugzilla:

A TOCTOU race condition was found in the way 'annotate-output' (used to execute a program annotating the output linewise with time and stream) tool of rpmdevtools, a suite of scripts and (X)Emacs support files to aid in development of RPM packages, performed management of its temporary files used for standard output and standard error output. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability in an unauthorized way to alter files belonging to the user running the 'annotate-output' tool.

Alerts:
Fedora FEDORA-2012-13234 2012-09-12
Fedora FEDORA-2012-13263 2012-09-12
Debian DSA-2549-1 2012-09-15
Ubuntu USN-1593-1 2012-10-02
Mageia MGASA-2012-0316 2012-10-29
openSUSE openSUSE-SU-2012:1437-1 2012-11-05
Mandriva MDVSA-2013:123 2013-04-10

Comments (none posted)

trousers: denial of service

Package(s):trousers CVE #(s):CVE-2012-0698
Created:September 7, 2012 Updated:November 23, 2012
Description:

From the Red Hat advisory:

This update closes a small security issue where a remote user could crash tscd if it were enabled for networking. This update also has improved init scripts which should make it load quicker.

Alerts:
Fedora FEDORA-2012-12973 2012-09-07
Debian DSA-2576-1 2012-11-23

Comments (none posted)

ubiquity-slideshow-ubuntu: code injection

Package(s):ubiquity-slideshow-ubuntu CVE #(s):CVE-2012-0956
Created:September 10, 2012 Updated:September 12, 2012
Description: From the Ubuntu advisory:

Paul Mutton discovered that ubiquity-slideshow-ubuntu incorrectly handled the Twitter feed displayed during system installation. A remote attacker could use this flaw to inject code into the Twitter feed and read arbitrary files off the filesystem during system installation. This flaw has been resolved in the Ubuntu 12.04.1 LTS installation images by disabling the Twitter feed.

Alerts:
Ubuntu USN-1561-1 2012-09-10

Comments (none posted)

Xen: multiple vulnerabilities

Package(s):Xen CVE #(s):CVE-2012-3494 CVE-2012-3495 CVE-2012-3496 CVE-2012-3498 CVE-2012-3516
Created:September 7, 2012 Updated:September 18, 2012
Description:

From the SUSE advisory:

A malicious guest could cause a crash on the host which leads to a Denial of Service (CVE-2012-3494).

A memory corruption related to PHYSDEVOP_get_free_pirq function could lead to a Denial of Service of the host or potentially to execution of arbitrary code (CVE-2012-3495).

A BUG can be triggered via calling functions with invalid flags which causes a Denial of Service (host crash) (CVE-2012-3496).

A malicious guest kernel could crash the host or potentially read hypervisor or guest memory (CVE-2012-3498).

Unspecified vulnerability (CVE-2012-3516).

Alerts:
SUSE SUSE-SU-2012:1133-1 2012-09-07
Debian DSA-2544-1 2012-09-08
SUSE SUSE-SU-2012:1135-1 2012-09-07
openSUSE openSUSE-SU-2012:1174-1 2012-09-14
openSUSE openSUSE-SU-2012:1172-1 2012-09-14
SUSE SUSE-SU-2012:1162-1 2012-09-13
Fedora FEDORA-2012-13443 2012-09-17
openSUSE openSUSE-SU-2012:1572-1 2012-11-26
openSUSE openSUSE-SU-2012:1573-1 2012-11-26

Comments (none posted)

xen-qemu: privilege escalation

Package(s):xen-qemu-dm-4.0 CVE #(s):CVE-2012-4411
Created:September 10, 2012 Updated:November 20, 2012
Description: From the Debian advisory:

The qemu monitor was enabled by default, allowing administrators of a guest to access resources of the host, possibly escalate privileges or access resources belonging to another guest.

Alerts:
Debian DSA-2543-1 2012-09-08
Fedora FEDORA-2012-13434 2012-09-17
Fedora FEDORA-2012-13443 2012-09-17
SUSE SUSE-SU-2012:1486-1 2012-11-16
SUSE SUSE-SU-2012:1487-1 2012-11-16
SUSE SUSE-SU-2012:1503-1 2012-11-19
openSUSE openSUSE-SU-2012:1572-1 2012-11-26
openSUSE openSUSE-SU-2012:1573-1 2012-11-26

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds