LSS: Secure Boot
Matthew Garrett gave the opening keynote at the 2012 Linux Security Summit on his new "favorite" topic: UEFI Secure Boot. Up until about a year ago, he was working on power management for the Linux kernel, but at LinuxCon in Vancouver he found out about the requirement that systems shipping with the Windows 8 logo would be required to have Secure Boot enabled. He "ended up drinking quite a lot that week", he said, but things are not quite as bad as he had thought at first. Contrary to his initial fears, users will be able to boot Linux on hardware certified for Windows 8.
UEFI Overview
Garrett began with an overview of UEFI, noting that it is a replacement for the legacy PC BIOS. Its role is to initialize the hardware and to provide services to the bootloader for tasks like discovering hardware. It is the "least relevant 16MB of code you will ever encounter", he said. The code is mostly open and available from Intel under a BSD license. There is also some proprietary, machine-specific code to program memory controllers. The firmware vendors add their own code for "3D UIs"; those vendors also "add bugs of course". There is a surprisingly good compatibility suite and there are regular plugfests to ensure that the UEFI implementations can boot a variety of operating systems.
There are some relevant differences between UEFI and BIOS. To start with, UEFI firmware can read filesystems. The standard only requires VFAT support—and Microsoft grants a patent license for UEFI implementations. The bootloader is now an executable in PE/COFF format like Windows binaries. There is also non-volatile flash storage available where things like the location of the bootloader and parameters to pass to it can be stored.
When a computer is turned on, the firmware runs first, followed by a bootloader, which loads the operating system (OS). Traditionally, malware has targeted the OS, but vendors, particularly Microsoft, have gotten very aggressive at cutting down the OS as a target. Windows 8, for example, will load a virus checker very early on, before even some of the drivers are loaded, Garrett said.
Given that, we are seeing malware move away from the OS. Instead of "rootkits" we are starting to see "bootkits". For BIOS-based systems, the easiest way to install boot-time malware is to replace the master boot record (MBR). Once that's done, the bootloader can no longer be trusted (as the MBR will point to a malicious version), and the bootloader can change the OS when it loads it. The malware can then intercept attempts to verify the MBR by returning a "clean" copy, making it difficult to detect the compromise.
The key thing to note, Garrett said, is that if you are running untrusted code at any level, you can't trust the code at a higher level. UEFI Secure Boot is an attempt to fix the problem of bootkits. A header section is added to bootloaders (or other binaries) to contain signed hashes of the contents. The firmware will only launch binaries with a valid hash signed by a trusted key. It uses the same cryptographic algorithms that are used by Secure Sockets Layer (SSL), so there is no reason to believe that Secure Boot is insecure, other than the fact that it will be implemented by firmware vendors, he said.
Key management
For managing the keys, there are four databases in the firmware's flash. With UEFI, it will no longer be possible to write to that flash directly, instructions from x86 system management mode (SMM) will need to be used instead. The first database, "dbx", will contain keys and hashes that will always be rejected by the firmware. If a binary's hash is in dbx or if the key used to sign that hash is present, the firmware will not run it.
The "db" database contains keys and hashes that will be accepted, but entries in dbx override those in db. After the October launch of Windows 8, standard systems will contain the manufacturer's key and Microsoft's key in db. Vendors will want to enable Secure Boot so that they can access marketing money from Microsoft for promoting the hardware as "Windows 8 compatible". The margins on a laptop are "pennies", Garrett said, so the marketing money makes a big difference.
Being able to blacklist keys is an important part of the design of Secure Boot. Keys that have been used to sign malware or to sign other, non-malicious software that can be exploited can be disabled.
The other two databases are the "kek" (key exchange key), which stores keys that can be used to sign updates to db or dbx, and the "pk" (platform key) which can sign kek updates. Installing a pk causes the transition from "setup mode" to Secure Boot mode. Normally, the pk will be a hardware vendor key, which will be used to sign the update to the kek, which is where the Microsoft key will reside. This protects the vendor from Microsoft losing control of its key, because they could (in some unspecified way) have their customers update the kek using their key. If the private half of the key in the pk leaks, Secure Boot is no longer secure on those systems.
The UEFI specification defines the technical details of Secure Boot, but does not specify any particular policy with regard to how it is used. But Microsoft has specified policies for systems that want to get Windows 8 certification. For those, Secure Boot must be enabled by default, and the Microsoft key must be present. In January, Microsoft added the requirement that a physically present user must be able to disable Secure Boot and install their own keys—but only for x86-based systems, not those that are ARM-based.
An audience member asked if there was "any hope" of that requirement changing for ARM. Right now, Garrett said, ARM systems with Windows 8 certification must not allow disabling Secure Boot or adding user-specified keys. Whether ARM-based system vendors will actually pursue that certification is an open question since the Windows on ARM market "doesn't exist" at this point.
Linux on Secure Boot
To boot Linux on a Secure Boot system, there needs to be a signed bootloader. "Distasteful though it might be", the only sensible way to do that is to get Microsoft to sign it. One can set up an account with Verisign, pay some money, and get access to the Microsoft signing system. From there, you upload a binary, and a get a signed object back a day later. Because of the way headers are added with the signatures, you can still verify that it is your binary, rather than something that has been modified by Microsoft.
Once that signed bootloader has been run, it could do anything. But there are or could be consequences if it does. The signed bootloader stops malware from being inserted between the firmware and the bootloader. But, there is no way for code to determine if it is really running in Secure Boot mode. That is one difference between Secure Boot and Trusted Boot; the latter adds attestations that can prove the running code is what it says it is. In Secure Boot, one can ask the firmware if it is enabled, but there is no way to trust the answer unless the code at each level can be trusted.
In order to be able to extend trust to the higher-levels, those pieces (e.g. kernel, drivers) must be signed as well. But there is more to it than that, whatever signed kernel that runs must not be usable to run unsigned privileged code.
One of the problem areas is kexec(), which allows replacing a running kernel with a new kernel. It is like booting the new kernel, but without going through the hardware initialization (thus Secure Boot) step. But, kexec() could be used to boot Windows instead, which would allow an attacker to create a malicious Windows that boots on Secure Boot hardware. It would use the signed Linux bootloader and kernel, but kexec() into the mal-Windows. If that were to happen, Garrett said, Microsoft would blacklist the bootloader. "Apparently, our management was not enthusiastic" about that possibility, he said.
So, signed kernels require some changes to support Secure Boot. That means doing things like disallowing kexec() and restricting the ability of user space programs to cause hardware devices to perform direct memory access (DMA). The latter mostly affects graphics hardware that does not have support for kernel mode setting (KMS).
In the past, there was this idea of a separation between regular users and root. The idea was to prevent people from elevating their privileges to those of the root user, and protecting the kernel from root was not particularly important. That is no longer the case in the Secure Boot world. Root is no longer trusted, only the physically present user, who may not be the same as root, is trusted.
There are other things that will need to be handled to avoid signed kernels from "attacking" Windows. Garrett said that Kees Cook mentioned hibernation images recently as a vector for attack. When a user resumes from a suspend-to-disk, memory contents are read from disk. A crafted hibernation image could subvert the protections, so unless some other solution is found, hibernation will need to be disabled. That's fine, "because it doesn't really work in Linux anyway", he said.
Plan of attack
The plan is to create a trusted first-stage "shim" bootloader that will be signed with the Microsoft key. Because free software tends to change frequently, and it is desirable to avoid getting things signed all the time, having the shim, which should change infrequently, makes sense. The full bootloader is then signed with a distribution-specific key. Kernels and modules would also be signed with that key, or with a key already in the firmware key databases. If a user wants to sign their own kernels or modules, they can put their own key in the firmware.
Instead of adding keys to the four databases established by UEFI, SUSE came up with a way to add keys from the bootloader (which cannot access the key databases) to a secure location in the firmware. There are UEFI boot services variables that are only available to the boot environment. Using those to store keys will allow the bootloader to update them, when prompted by physically present users. Doing so from the bootloader avoids the problem of having to try to figure out and document how to add keys using the vendor-specific UEFI firmware set up tools. So far, that code does not exist, but SUSE is working on it, he said.
The management of thousands of systems requiring physically present users is "not a solved problem", he said in response to a question. There is the belief that those who are buying many systems will be able to convince vendors to ship their hardware in setup mode (with no keys) or to put custom keys into the firmware.
There are still some outstanding questions, including how to handle third-party module signing (e.g. for NVIDIA drivers). There could be some kind of Linux certificate authority (CA), but no one has stepped up to run such a thing. It would cost "at least millions" to set up and run, plus probably more than a year to get going, so "no one is jumping up and down to do this", he said. There is the possibility that third parties could have their modules signed by Microsoft or there could be some way to have the bootloader prompt for the installation of third party keys. Red Hat and other vendors are not inclined to sign third-party modules because of licensing issues and that it could be seen as an endorsement of binary-only modules.
Early on in the process of sorting out Secure Boot issues, there was concern that GPLv3 (which is the license for the GRUB2 bootloader) would require the signing keys to be disclosed. Garrett said that he and others had worked with the FSF on that problem. The conclusion that was reached is that the signing keys are not required to be disclosed as long as users can install their own keys, which they will be able to do.
In the final analysis, Secure Boot is "much less bad than it could be", Garrett said. It will increase the security of Linux "somewhat", but is mostly for increasing the security of Windows. As long as we are careful not to get our keys blacklisted (by allowing signed kernels to attack Windows), it won't seriously impede Linux in the future.
| Index entries for this article | |
|---|---|
| Security | Secure boot |
| Conference | Linux Security Summit/2012 |
Posted Sep 13, 2012 1:31 UTC (Thu)
by JoeBuck (subscriber, #2330)
[Link] (20 responses)
Why can't hibernation sign the memory dump and verify it on restart?
Posted Sep 13, 2012 1:46 UTC (Thu)
by corbet (editor, #1)
[Link] (18 responses)
Posted Sep 13, 2012 2:27 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (15 responses)
Posted Sep 13, 2012 4:22 UTC (Thu)
by alonz (subscriber, #815)
[Link]
Posted Sep 13, 2012 12:10 UTC (Thu)
by PaXTeam (guest, #24616)
[Link] (13 responses)
and at this point you're going to provide us with proof that the kernel has no information leaking vulnerabilities, right? ;)
Posted Sep 13, 2012 16:53 UTC (Thu)
by hummassa (subscriber, #307)
[Link]
Posted Sep 13, 2012 18:46 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Posted Sep 13, 2012 19:32 UTC (Thu)
by PaXTeam (guest, #24616)
[Link]
Posted Sep 13, 2012 20:56 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (9 responses)
1) Shim or grub generates keypair and passes the private key to kernel. The public key is saved in a boot services variable, preventing it being read by the running OS.
Since the key is specific to the combination of the machine and the boot, an attacker shouldn't be able to deploy a pre-packaged attack. Am I missing something?
Posted Sep 14, 2012 15:51 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (8 responses)
The fact that the new private key is in memory and the malware can use it to craft and then sign the restore image, that will be restored normally. Damn, the malware can bypass this altogether and generate the pair on the fly, sign the image, and store the public key in the appropriate place.
Posted Sep 14, 2012 16:12 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (7 responses)
No it can't - you can't set boot services variables from within the OS.
Posted Sep 14, 2012 16:51 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (6 responses)
Posted Sep 14, 2012 17:08 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link]
Posted Sep 14, 2012 17:19 UTC (Fri)
by raven667 (subscriber, #5198)
[Link] (4 responses)
Even in the case where there is malware running on a system you should still be able to perform a clean boot with verification up to the point where your trust chain stops. Then the problem is post-boot (re)compromise and you can use many tools to combat that, if you can get them into your trusted base.
Posted Sep 14, 2012 19:48 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (3 responses)
No, because crafting a special restore-image/swapfile and forcing a reboot you can, for instance, boot a whole another OS altogether, totally bypassing the "secure" boot nonsense.
> Even in the case where there is malware running on a system you should still be able to perform a clean boot with verification up to the point where your trust chain stops. Then the problem is post-boot (re)compromise and you can use many tools to combat that, if you can get them into your trusted base.
No, because at that point the "phantom" OS can just behave like the "original" OS with a rootkit, rendering symptoms of infection invisible to the original OS.
Suppose the machine is running Windows8, ok? The malware prepares an image that will run some OS that will run Windows8 in an emulated, censored environment that can make a lot of bad things, invisibly to W8. Everytime W8 tries to reboot, it goes thru the hoops again and boots instead the other OS.
Posted Sep 14, 2012 20:59 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
- Hibernate images are outside the trust boundary because they contain arbitrary code
I don't think Secure Boot attempts or claims to solve the problems of running arbitrary code it only allows you to build a beachhead, ideally an execution chain all the way until user space starts that can't be modified without throwing alarms. That means that re-compromise of a system needs to happen via the normal startup sequence and tools started before the malware can run can potentially block the malware. Once the malware runs it's Blue Pill all the way, you can't trust anything on the system after that.
Posted Sep 14, 2012 22:56 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
Yes, and if you can get private information out of the kernel then you can probably also get private information *into* the kernel, and then you can just make the kernel execute your other OS without doing anything with hibernation.
Posted Sep 15, 2012 2:03 UTC (Sat)
by raven667 (subscriber, #5198)
[Link]
Posted Sep 13, 2012 10:09 UTC (Thu)
by etienne (guest, #25256)
[Link] (1 responses)
Posted Sep 13, 2012 13:27 UTC (Thu)
by pjones (subscriber, #31722)
[Link]
There's nothing with our Secure Boot implementation that prevents this from working exactly as it does now on UEFI systems.
Posted Sep 13, 2012 15:34 UTC (Thu)
by cortana (subscriber, #24596)
[Link]
Posted Sep 13, 2012 6:02 UTC (Thu)
by kugel (subscriber, #70540)
[Link] (1 responses)
So we do depend on Microsoft, don't we?
Posted Sep 13, 2012 7:31 UTC (Thu)
by skitching (guest, #36856)
[Link]
However those users aren't likely to want to use kexec anyway. For them to lose hibernation might be somewhat more disappointing..if it worked.
And of course such people are typically going to have someone else install Linux for them - so secure boot can be turned off by the person doing the install.
Posted Sep 13, 2012 7:38 UTC (Thu)
by skitching (guest, #36856)
[Link] (9 responses)
And how will this affect WUBI, where the Microsoft bootloader is used to boot into Linux? That approach is specifically targeted at non-technical Windows users, ie those least likely to disable secure boot in the firmware.
What are the implications if secure boot is disabled in the firmware, then Windows is booted? Will windows refuse to run (or some programs, eg Microsoft's Genuine Windows validation checks)? If so, can a custom bootloader be used to "lie" to windows about secure-boot being enabled when it actually is not?
Posted Sep 13, 2012 13:29 UTC (Thu)
by pjones (subscriber, #31722)
[Link] (8 responses)
Posted Sep 13, 2012 14:44 UTC (Thu)
by robertm (subscriber, #20200)
[Link] (7 responses)
Posted Sep 13, 2012 17:48 UTC (Thu)
by pjones (subscriber, #31722)
[Link] (3 responses)
Posted Sep 13, 2012 18:23 UTC (Thu)
by hummassa (subscriber, #307)
[Link] (2 responses)
IOW: NOTHING will, in the end, impede malware to install bootkits/jailbreaks. :-D
This way, people are doing all this work to appease Microsoft, under risk of making people think that Secure Boot (TM) is actually secure, which will after all DIMINISH the security status of potential-botnet-drones around the world. Ah, let's not forget the privacy/liberty implications. Hmm...
Posted Sep 13, 2012 19:04 UTC (Thu)
by pjones (subscriber, #31722)
[Link] (1 responses)
Posted Sep 13, 2012 23:51 UTC (Thu)
by hummassa (subscriber, #307)
[Link]
You know, you kind of proved my point. There is NO added security, because you can always find another vulnerability in the kernel, and use that to escalate past the bootloader (like creating crafted restore-from-hibernation images) and people will act under the illusion that their systems have "added security" when they aren't, which, as I mentioned, diminishes the overall security. For instance, the crafted restore image could allow running unsigned or signed-by-the-malware-author executables or substitute key libraries.
And again, that is my point: "Secure Boot" == "fake security", which is far worse than "no security".
And worse yet: "Secure Boot" == "you are running a signed O.S. (with Defective by Design implications and I Can Phone Home and invade your privacy implications)" OR "you are running a signed (bla bla) but COMPROMISED by malware O.S."...
Posted Sep 14, 2012 12:05 UTC (Fri)
by jeroen (guest, #12372)
[Link] (2 responses)
Posted Sep 14, 2012 14:49 UTC (Fri)
by BenHutchings (subscriber, #37955)
[Link] (1 responses)
Posted Sep 14, 2012 20:50 UTC (Fri)
by idupree (guest, #71169)
[Link]
Posted Sep 13, 2012 9:41 UTC (Thu)
by micka (subscriber, #38720)
[Link] (4 responses)
Another question : if you install your own kek, don't you need to also sign your windows kernel (for example in case of a dual-boot system) ?
And in case of a dual-boot, what happens for example if an update triggered by an OS (in case the first answer is affirmative) blacklists the second one ? How do i upgrade the second one ?
Oww, questions keep piling : What happens if a kek is broken or leaked ? Or a pk ?
Are firmware writer "trusted" to write bug-free firmwares ?
Posted Sep 13, 2012 13:36 UTC (Thu)
by pjones (subscriber, #31722)
[Link] (3 responses)
It's stored in a variable, and there's an "append only" update to it. The arguments to the /call/ to update it must be signed by a key that's in KEK, which will typically include the platform vendor and MS. So basically we get updates from the CA and apply them.
Of course as a user you can completely disable that if you want, and this is still more of "the plan" than "the implementation" at this point.
> Oww, questions keep piling : What happens if a kek is broken or leaked ? Or a pk ?
Then your vendor ships a firmware update (which is signed by a different PK pair) that removes that key from PK/KEK and adds a new one in. If you're very lucky they don't trash everything else that's there.
> Are firmware writer "trusted" to write bug-free firmwares ?
We certainly expect a time period after the Windows 8 launch in which some exploits are found, but if vendors act responsibly it should taper off as bugs are fixed in individual firmwares and the reference implementation from which they are derived. That's already begun happening, actually.
Posted Oct 5, 2012 10:29 UTC (Fri)
by oak (guest, #2786)
[Link] (2 responses)
Posted Oct 5, 2012 13:59 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link]
Posted Oct 5, 2012 15:28 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
Posted Sep 13, 2012 17:11 UTC (Thu)
by linuxjacques (subscriber, #45768)
[Link] (3 responses)
This feature doesn't work (in all cases), so it's OK to remove it.
Beautiful logic.
Posted Sep 13, 2012 21:04 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (2 responses)
Posted Sep 14, 2012 10:17 UTC (Fri)
by willnewton (guest, #68395)
[Link]
The key words in that sentence are "Intel graphics". Hibernation works perfectly well for me and seems a valuable feature.
Posted Sep 16, 2012 15:42 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
Posted Sep 13, 2012 19:10 UTC (Thu)
by iabervon (subscriber, #722)
[Link] (4 responses)
Posted Sep 13, 2012 19:58 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (3 responses)
Posted Sep 13, 2012 21:00 UTC (Thu)
by iabervon (subscriber, #722)
[Link] (2 responses)
Posted Sep 13, 2012 21:06 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
Posted Sep 16, 2012 15:45 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
<pedantic>…via that argument.</pedantic> ;)
Posted Sep 13, 2012 21:23 UTC (Thu)
by nikarul (subscriber, #4462)
[Link] (11 responses)
tl;dr: Apparently some malware authors are targetting PC production lines, casting a shadow on the effectiveness of SecureBoot.
Posted Sep 13, 2012 22:04 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link] (10 responses)
Posted Sep 13, 2012 23:15 UTC (Thu)
by nikarul (subscriber, #4462)
[Link] (1 responses)
So at the end of the day, it may help deter attacks, but it remains to be seen whether its worth the extra hassle.
Posted Sep 14, 2012 0:04 UTC (Fri)
by hummassa (subscriber, #307)
[Link]
The problem isn't even the "extra hassle".
It's the possibility of privacy-invading measures PLUS the false sense of security this will put on users.
Posted Sep 14, 2012 0:01 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (7 responses)
Repeating myself -> "Secure Boot" == "fake security", much worse than no security at all.
The only thing that will come certainly from Secure Boot is invasions of privacy and consumer rights violations in form of DRM.
Posted Sep 14, 2012 0:14 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (6 responses)
Posted Sep 14, 2012 11:14 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (5 responses)
Yea, what people implementing "Secure" Boot &c seem to be especially worried about is to enable exactly the opposite to what Corbet described in this week's LWN first article:
> It is time to pay more attention to the copyright maximalist agenda and push back. Fair use rights must be asserted where they exist and created where they don't. The business concerns of the entertainment industry should not drive the design of our systems, our networks, and our international agreements.
...
> the system we use to ensure the freedom of our software can also take away our freedom on other fronts if we do not pay attention. A world where our right to express ourselves is moderated by somebody else's software — usually very proprietary software — is not what we have been working for.
Enough said.
Boot signing -- "secure" boot -- has a deep flaw: that (practically) all software is exploitable to do something it was not meant to do, and that it will be exploited by people with enough to gain by it.
Posted Sep 14, 2012 13:07 UTC (Fri)
by corbet (editor, #1)
[Link] (4 responses)
Posted Sep 15, 2012 22:57 UTC (Sat)
by CChittleborough (subscriber, #60775)
[Link]
(Notice that secure boot is an attempt to solve a real problem, not some dastardly plot by mustache-twirling villains, and has real advantages as well as real disadvantages.)
Changing topic: let's all try to avoid making Matthew Garrett's life any harder. Let's all be grateful he's working on this stuff, because we need his work.
Posted Sep 22, 2012 23:15 UTC (Sat)
by ballombe (subscriber, #9523)
[Link] (2 responses)
Posted Sep 23, 2012 12:05 UTC (Sun)
by raven667 (subscriber, #5198)
[Link]
Posted Sep 23, 2012 14:16 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link]
Posted Sep 14, 2012 13:07 UTC (Fri)
by kugel (subscriber, #70540)
[Link] (3 responses)
Don't you need physical access to the machine to subvert the hibernation file? After all, the machine must be off so no running computer program on the hibernated machine can do it.
And the physical present user is trusted (and a physically present attacker can simply turn off secure boot), so to my understanding hibernate shouldn't be affected by secure boot.
Also: I'm fairly sure Windows will still have hibernate. If that's true then Microsoft would seem to agree with me thinking it's not an issue.
Posted Sep 14, 2012 14:04 UTC (Fri)
by hummassa (subscriber, #307)
[Link] (2 responses)
No, a piece of malware can create a subverted hibernation file and force-reboot the machine.
Posted Sep 15, 2012 8:15 UTC (Sat)
by kugel (subscriber, #70540)
[Link] (1 responses)
Posted Sep 15, 2012 9:59 UTC (Sat)
by khim (subscriber, #9252)
[Link]
Posted Sep 21, 2012 4:11 UTC (Fri)
by cyanit (guest, #86671)
[Link] (28 responses)
As far as I can tell, you can just run Windows in a fullscreen qemu instance with full access to the hard disk, and the user will think it's the legitimate version of Windows...
Is access to Windows partitions on disk somehow blocked by the kernel?
If so, why not just have the BIOS and SATA controller cooperate to do that (i.e. irrevocably disable access to a disk range until reboot), thus allowing arbitrary software to run without issues?
Then, what's the point of having all this for Linux, when root can just add something in /etc/init.d that takes over the system silently, and any user can do the same using autostart?
Also, do you REALLY expect all Linux code (esp. in drivers) to not contain a ton of security holes exploitable by a root user, considering this was never thought to be a problem?!?
Have you spent the millions (or billions) of man hours needed to do a thorough review of the Linux code and mathematically prove that there are no holes?
Is this all just for show because otherwise Microsoft wouldn't sign the bootloader?
Because the way it is described, it provides no real security whatsoever, at all.
Posted Sep 21, 2012 4:49 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (4 responses)
Posted Sep 21, 2012 5:18 UTC (Fri)
by raven667 (subscriber, #5198)
[Link] (3 responses)
Posted Sep 21, 2012 5:24 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (2 responses)
Posted Sep 21, 2012 13:18 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
Posted Sep 21, 2012 23:08 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Sep 21, 2012 5:13 UTC (Fri)
by raven667 (subscriber, #5198)
[Link] (22 responses)
The threat model that Secure Boot is intended to help thwart is fairly simple, it makes no claims about OS security or vulnerabilities in the kernel or rootkits in the running system, it's only claim is that you can boot into the kernel without the possibility of a rootkit already having been planted in the firmware or bootloader. The rest is whatever scheme you dream up for the OS.
What people are using this tool for is to implement integrity checking in the kenrel that can't be easily and persistently subverted. It didn't make a lot of sense to invest heavily in integrity checking before when the underlying layers were so easy to subvert. Since you can't subvert any of the persistant storage without breaking the signatures then your malware has to be started using normal OS means and you can use standard OS tools and anti-malware to detect and clean it out before it runs. The anti-malware can have its own integrity checking on updates so that a compromised system can be cleaned just by rebooting it. The malware can't subvert the anti-malware but it can potentially block updates although this can be easily detected.
The concern with the security of the boot loader is that there are going to be a number of signed boot loaders from various vendors out in the wild that will all be trusted by every machine by default. If those boot loaders can be configured to run arbitrary code then any one of them could be used as a shim to load malware before the kernel and anti-malware has a chance of loading which drives a particular design where the boot loader does some sort of authorization checking as to what kernel image it is booting.
None of this protects an OS which is running in a VM from the hypervisor although it still has the same protections from malware inside the OS. As far as I know the threat model of Secure Boot can't handle the case where you Secure Boot into a legitimate bootloader and legitimate kernel which then boots the OS as a guest in a VM. It'd be an interesting proof of concept to see how one would modify a compromised running system to include booting a hypervisor without breaking the system in some way. Maybe someone who knows more than me can help answer this question, mjg59?
Posted Sep 21, 2012 14:56 UTC (Fri)
by ballombe (subscriber, #9523)
[Link] (21 responses)
Posted Sep 21, 2012 15:14 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
This is just a fancier way to make the statement "Linux rulez and MS droolz" which isn't a useful statement.
Posted Sep 21, 2012 18:33 UTC (Fri)
by mjg59 (subscriber, #23239)
[Link] (19 responses)
Posted Sep 21, 2012 23:12 UTC (Fri)
by nix (subscriber, #2304)
[Link] (2 responses)
Shame if it decides to blacklist the Fedora key. All of a sudden every single secure-booted instance of one of its competitors that is dual-booted with Windows has stopped working! And there is, as far as I can see, no easy way to recover. (Maybe Fedora could make a boot CD image available that would update the bootloader, splash it in big letters all over fedoraproject.org, and hope that everyone affected thinks to look there. *shiver*.)
(I have 'secure boot' on this new system of mine. I have, of course, turned it off. The last thing I need is a way of rendering my system magically unbootable. I have enough of those as it is!)
Posted Sep 22, 2012 22:14 UTC (Sat)
by raven667 (subscriber, #5198)
[Link] (1 responses)
Posted Sep 23, 2012 14:22 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link]
Posted Sep 22, 2012 15:55 UTC (Sat)
by ballombe (subscriber, #9523)
[Link] (15 responses)
Posted Sep 22, 2012 16:05 UTC (Sat)
by mjg59 (subscriber, #23239)
[Link] (14 responses)
No.
Posted Sep 23, 2012 21:21 UTC (Sun)
by nix (subscriber, #2304)
[Link] (13 responses)
Posted Sep 23, 2012 21:37 UTC (Sun)
by raven667 (subscriber, #5198)
[Link] (4 responses)
Posted Sep 23, 2012 22:32 UTC (Sun)
by nix (subscriber, #2304)
[Link] (3 responses)
(Remember, the attackers only have to be lucky once.)
Posted Sep 23, 2012 22:46 UTC (Sun)
by hummassa (subscriber, #307)
[Link] (2 responses)
People imagining these schemes forget that crypto keys are leaked and recovered all the time IRL. And that if you are not a government, you can always use the wrench method. https://xkcd.com/538/
Posted Sep 24, 2012 3:50 UTC (Mon)
by raven667 (subscriber, #5198)
[Link] (1 responses)
Posted Sep 24, 2012 8:41 UTC (Mon)
by nix (subscriber, #2304)
[Link]
Posted Sep 24, 2012 0:36 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (2 responses)
Posted Sep 24, 2012 8:41 UTC (Mon)
by nix (subscriber, #2304)
[Link]
Posted Sep 24, 2012 9:07 UTC (Mon)
by hummassa (subscriber, #307)
[Link]
No, that's not "part of that". s/part of //. The security process stops at the easier way to the threat to get what he wants. Threats can and will leak keys from Microsoft (remember NT4/XP source code?) if that's the easier way of signing device drivers. As vendor keys are currently easier to get hold of, and they do the job just fine (because there are a lot of vendors and IIRC once the keys were revoked another version of Stuxnet signed with another key popped up) the threats don't need to go after MS.
Security = you don't have to outrun the beast, you have to outrun the friend beside you.
Posted Sep 24, 2012 1:04 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
Posted Sep 24, 2012 8:42 UTC (Mon)
by nix (subscriber, #2304)
[Link] (3 responses)
Posted Sep 24, 2012 18:24 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Posted Sep 25, 2012 8:20 UTC (Tue)
by alonz (subscriber, #815)
[Link] (1 responses)
Have you, perhaps, seen this? Or this (as applied to HSM's, considering the incompetence apparent from the first link)? I don't think HSM's are as magic as people expect them to be…
Posted Sep 25, 2012 8:29 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Says who? I use hibernation on a regular basis. While some users have reported problems on some systems, it works reliably for many. If Red Hat decides to disable hibernation to appease Microsoft, I guess I'll have to go elsewhere.
Hibernation doesn't work?
Signing the dump would require having the private key in the kernel. An attacker who could mess with the hibernation image would likely have little difficulty finding that key; after that, the game is done.
Hibernation doesn't work?
Hibernation doesn't work?
1) During the initial boot you generate a random keypair in the shim loader. Store the public part the keypair in the UEFI storage.
2) Kernel keeps the private key in RAM during the normal processing.
3) Use this private key to sign the hibernation image and then discard it (of course, taking care not to write it into the image).
4) During boot you first load the known-good-kernel (checked by the shim) which can then retrieve the public key from the shim and check the signature.
5) If signature matches, it then can load the image.
You forgot step 6: generate a new keypair for use with the next hibernation (as the process obviously lost the original private key from step 1).
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
2) Kernel encrypts the suspend image.
3) Shim (or grub) generates a new keypair and saves the public key. It passes the new private key and the old public key to the kernel, and then wipes the old public key from the variable store.
4) Kernel verifies that the swap image is appropriately signed and then discards the old public key. The new private key is kept so the user can hibernate again.
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
- The fix is to not restore hibernate images
- The proposed signature checking on hibernate images could protect an un-compromised system on disk from being modified before being restored
- There is no security added for a system booted in a VM
- There is no attestation in Secure Boot, a running system can't tell if it's been compromised or not
Hibernation doesn't work?
Hibernation doesn't work?
Hibernation doesn't work?
I also note that having multiple Linux distributions on a single PC will be a problem.
Hibernation doesn't work?
Hibernation doesn't work?
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
Hey look at that, more features gone in this rush to bend over backwards to accommodate Microsoft's anti-software-freedom initiative.
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
updates
Is the OS able to trigger that update ? Otherwise, I can't see how a key can even be blacklisted.
updates
updates
updates
updates
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
Hmm... secure boot-like technologies certainly can play into the copyright maximalist agenda. It's not really a DRM technology, though, it's more of a general control technology — who has control over the systems we think we own? I believe the folks working on making Linux work in the secure environment are doing their best to ensure that the owners have control over their own systems. Secure boot can be used to do unpleasant things; it can also (at least try to) protect your system against the next Sony-style rootkit.
LSS: Secure Boot
What everyone needs to know
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
This attack only makes sense in secure-boot enhanced world. In any other world it's easier to just replace the kernel if you've reached the state where you can do raw disk access.
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
LSS: Secure Boot
Yeah, that sure is reassuring. </sarcasm>LSS: Secure Boot
LSS: Secure Boot