Weekly Edition
Return to the Security page
| |||||||||||||
LSS: Secure BootMatthew Garrett gave the opening keynote at the 2012 Linux Security Summit on his new "favorite" topic: UEFI Secure Boot. Up until about a year ago, he was working on power management for the Linux kernel, but at LinuxCon in Vancouver he found out about the requirement that systems shipping with the Windows 8 logo would be required to have Secure Boot enabled. He "ended up drinking quite a lot that week", he said, but things are not quite as bad as he had thought at first. Contrary to his initial fears, users will be able to boot Linux on hardware certified for Windows 8. UEFI OverviewGarrett began with an overview of UEFI, noting that it is a replacement for the legacy PC BIOS. Its role is to initialize the hardware and to provide services to the bootloader for tasks like discovering hardware. It is the "least relevant 16MB of code you will ever encounter", he said. The code is mostly open and available from Intel under a BSD license. There is also some proprietary, machine-specific code to program memory controllers. The firmware vendors add their own code for "3D UIs"; those vendors also "add bugs of course". There is a surprisingly good compatibility suite and there are regular plugfests to ensure that the UEFI implementations can boot a variety of operating systems. There are some relevant differences between UEFI and BIOS. To start with, UEFI firmware can read filesystems. The standard only requires VFAT support—and Microsoft grants a patent license for UEFI implementations. The bootloader is now an executable in PE/COFF format like Windows binaries. There is also non-volatile flash storage available where things like the location of the bootloader and parameters to pass to it can be stored. When a computer is turned on, the firmware runs first, followed by a bootloader, which loads the operating system (OS). Traditionally, malware has targeted the OS, but vendors, particularly Microsoft, have gotten very aggressive at cutting down the OS as a target. Windows 8, for example, will load a virus checker very early on, before even some of the drivers are loaded, Garrett said. Given that, we are seeing malware move away from the OS. Instead of "rootkits" we are starting to see "bootkits". For BIOS-based systems, the easiest way to install boot-time malware is to replace the master boot record (MBR). Once that's done, the bootloader can no longer be trusted (as the MBR will point to a malicious version), and the bootloader can change the OS when it loads it. The malware can then intercept attempts to verify the MBR by returning a "clean" copy, making it difficult to detect the compromise. The key thing to note, Garrett said, is that if you are running untrusted code at any level, you can't trust the code at a higher level. UEFI Secure Boot is an attempt to fix the problem of bootkits. A header section is added to bootloaders (or other binaries) to contain signed hashes of the contents. The firmware will only launch binaries with a valid hash signed by a trusted key. It uses the same cryptographic algorithms that are used by Secure Sockets Layer (SSL), so there is no reason to believe that Secure Boot is insecure, other than the fact that it will be implemented by firmware vendors, he said. Key managementFor managing the keys, there are four databases in the firmware's flash. With UEFI, it will no longer be possible to write to that flash directly, instructions from x86 system management mode (SMM) will need to be used instead. The first database, "dbx", will contain keys and hashes that will always be rejected by the firmware. If a binary's hash is in dbx or if the key used to sign that hash is present, the firmware will not run it. The "db" database contains keys and hashes that will be accepted, but entries in dbx override those in db. After the October launch of Windows 8, standard systems will contain the manufacturer's key and Microsoft's key in db. Vendors will want to enable Secure Boot so that they can access marketing money from Microsoft for promoting the hardware as "Windows 8 compatible". The margins on a laptop are "pennies", Garrett said, so the marketing money makes a big difference. Being able to blacklist keys is an important part of the design of Secure Boot. Keys that have been used to sign malware or to sign other, non-malicious software that can be exploited can be disabled. The other two databases are the "kek" (key exchange key), which stores keys that can be used to sign updates to db or dbx, and the "pk" (platform key) which can sign kek updates. Installing a pk causes the transition from "setup mode" to Secure Boot mode. Normally, the pk will be a hardware vendor key, which will be used to sign the update to the kek, which is where the Microsoft key will reside. This protects the vendor from Microsoft losing control of its key, because they could (in some unspecified way) have their customers update the kek using their key. If the private half of the key in the pk leaks, Secure Boot is no longer secure on those systems. The UEFI specification defines the technical details of Secure Boot, but does not specify any particular policy with regard to how it is used. But Microsoft has specified policies for systems that want to get Windows 8 certification. For those, Secure Boot must be enabled by default, and the Microsoft key must be present. In January, Microsoft added the requirement that a physically present user must be able to disable Secure Boot and install their own keys—but only for x86-based systems, not those that are ARM-based. An audience member asked if there was "any hope" of that requirement changing for ARM. Right now, Garrett said, ARM systems with Windows 8 certification must not allow disabling Secure Boot or adding user-specified keys. Whether ARM-based system vendors will actually pursue that certification is an open question since the Windows on ARM market "doesn't exist" at this point. Linux on Secure BootTo boot Linux on a Secure Boot system, there needs to be a signed bootloader. "Distasteful though it might be", the only sensible way to do that is to get Microsoft to sign it. One can set up an account with Verisign, pay some money, and get access to the Microsoft signing system. From there, you upload a binary, and a get a signed object back a day later. Because of the way headers are added with the signatures, you can still verify that it is your binary, rather than something that has been modified by Microsoft. Once that signed bootloader has been run, it could do anything. But there are or could be consequences if it does. The signed bootloader stops malware from being inserted between the firmware and the bootloader. But, there is no way for code to determine if it is really running in Secure Boot mode. That is one difference between Secure Boot and Trusted Boot; the latter adds attestations that can prove the running code is what it says it is. In Secure Boot, one can ask the firmware if it is enabled, but there is no way to trust the answer unless the code at each level can be trusted. In order to be able to extend trust to the higher-levels, those pieces (e.g. kernel, drivers) must be signed as well. But there is more to it than that, whatever signed kernel that runs must not be usable to run unsigned privileged code. One of the problem areas is kexec(), which allows replacing a running kernel with a new kernel. It is like booting the new kernel, but without going through the hardware initialization (thus Secure Boot) step. But, kexec() could be used to boot Windows instead, which would allow an attacker to create a malicious Windows that boots on Secure Boot hardware. It would use the signed Linux bootloader and kernel, but kexec() into the mal-Windows. If that were to happen, Garrett said, Microsoft would blacklist the bootloader. "Apparently, our management was not enthusiastic" about that possibility, he said. So, signed kernels require some changes to support Secure Boot. That means doing things like disallowing kexec() and restricting the ability of user space programs to cause hardware devices to perform direct memory access (DMA). The latter mostly affects graphics hardware that does not have support for kernel mode setting (KMS). In the past, there was this idea of a separation between regular users and root. The idea was to prevent people from elevating their privileges to those of the root user, and protecting the kernel from root was not particularly important. That is no longer the case in the Secure Boot world. Root is no longer trusted, only the physically present user, who may not be the same as root, is trusted. There are other things that will need to be handled to avoid signed kernels from "attacking" Windows. Garrett said that Kees Cook mentioned hibernation images recently as a vector for attack. When a user resumes from a suspend-to-disk, memory contents are read from disk. A crafted hibernation image could subvert the protections, so unless some other solution is found, hibernation will need to be disabled. That's fine, "because it doesn't really work in Linux anyway", he said. Plan of attackThe plan is to create a trusted first-stage "shim" bootloader that will be signed with the Microsoft key. Because free software tends to change frequently, and it is desirable to avoid getting things signed all the time, having the shim, which should change infrequently, makes sense. The full bootloader is then signed with a distribution-specific key. Kernels and modules would also be signed with that key, or with a key already in the firmware key databases. If a user wants to sign their own kernels or modules, they can put their own key in the firmware. Instead of adding keys to the four databases established by UEFI, SUSE came up with a way to add keys from the bootloader (which cannot access the key databases) to a secure location in the firmware. There are UEFI boot services variables that are only available to the boot environment. Using those to store keys will allow the bootloader to update them, when prompted by physically present users. Doing so from the bootloader avoids the problem of having to try to figure out and document how to add keys using the vendor-specific UEFI firmware set up tools. So far, that code does not exist, but SUSE is working on it, he said. The management of thousands of systems requiring physically present users is "not a solved problem", he said in response to a question. There is the belief that those who are buying many systems will be able to convince vendors to ship their hardware in setup mode (with no keys) or to put custom keys into the firmware. There are still some outstanding questions, including how to handle third-party module signing (e.g. for NVIDIA drivers). There could be some kind of Linux certificate authority (CA), but no one has stepped up to run such a thing. It would cost "at least millions" to set up and run, plus probably more than a year to get going, so "no one is jumping up and down to do this", he said. There is the possibility that third parties could have their modules signed by Microsoft or there could be some way to have the bootloader prompt for the installation of third party keys. Red Hat and other vendors are not inclined to sign third-party modules because of licensing issues and that it could be seen as an endorsement of binary-only modules. Early on in the process of sorting out Secure Boot issues, there was concern that GPLv3 (which is the license for the GRUB2 bootloader) would require the signing keys to be disclosed. Garrett said that he and others had worked with the FSF on that problem. The conclusion that was reached is that the signing keys are not required to be disclosed as long as users can install their own keys, which they will be able to do. In the final analysis, Secure Boot is "much less bad than it could be", Garrett said. It will increase the security of Linux "somewhat", but is mostly for increasing the security of Windows. As long as we are careful not to get our keys blacklisted (by allowing signed kernels to attack Windows), it won't seriously impede Linux in the future. (Log in to post comments)
Hibernation doesn't work? Posted Sep 13, 2012 1:31 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] Says who? I use hibernation on a regular basis. While some users have reported problems on some systems, it works reliably for many. If Red Hat decides to disable hibernation to appease Microsoft, I guess I'll have to go elsewhere.Why can't hibernation sign the memory dump and verify it on restart?
Hibernation doesn't work? Posted Sep 13, 2012 1:46 UTC (Thu) by corbet (editor, #1) [Link] Signing the dump would require having the private key in the kernel. An attacker who could mess with the hibernation image would likely have little difficulty finding that key; after that, the game is done.
Hibernation doesn't work? Posted Sep 13, 2012 2:27 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
There's no need to embed private key into the image. You can do it like this:
1) During the initial boot you generate a random keypair in the shim loader. Store the public part the keypair in the UEFI storage. 2) Kernel keeps the private key in RAM during the normal processing. 3) Use this private key to sign the hibernation image and then discard it (of course, taking care not to write it into the image). 4) During boot you first load the known-good-kernel (checked by the shim) which can then retrieve the public key from the shim and check the signature. 5) If signature matches, it then can load the image.
Hibernation doesn't work? Posted Sep 13, 2012 4:22 UTC (Thu) by alonz (subscriber, #815) [Link] You forgot step 6: generate a new keypair for use with the next hibernation (as the process obviously lost the original private key from step 1).
Hibernation doesn't work? Posted Sep 13, 2012 12:10 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]
> 2) Kernel keeps the private key in RAM during the normal processing.
and at this point you're going to provide us with proof that the kernel has no information leaking vulnerabilities, right? ;)
Hibernation doesn't work? Posted Sep 13, 2012 16:53 UTC (Thu) by hummassa (subscriber, #307) [Link]
Yeah (d'oh!), the private key is in RAM, someone can get to it and sign the specially-crafted restore image.
Hibernation doesn't work? Posted Sep 13, 2012 18:46 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Yeah, and it also has no vulnerabilities at all. Any trusted boot system assumes that, so it must be true.
Hibernation doesn't work? Posted Sep 13, 2012 19:32 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]
in other words, it doesn't actually matter where that private key is stored. what did you try to say then?
Hibernation doesn't work? Posted Sep 13, 2012 20:56 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
The aim isn't to prevent modification of the swap image on an existing system (there may be benefits to that, this just isn't what we're concerned about). The aim is to avoid the case where an attacker can drop a malware payload consisting of a legitimately signed Linux bootloader, a legitimately signed Linux kernel and a malware hibernation image that then launches a backdoored OS (not necessarily Linux). If the hibernation key is session-specific then that seems achievable:
1) Shim or grub generates keypair and passes the private key to kernel. The public key is saved in a boot services variable, preventing it being read by the running OS.
Since the key is specific to the combination of the machine and the boot, an attacker shouldn't be able to deploy a pre-packaged attack. Am I missing something?
Hibernation doesn't work? Posted Sep 14, 2012 15:51 UTC (Fri) by hummassa (subscriber, #307) [Link]
> Since the key is specific to the combination of the machine and the boot, an attacker shouldn't be able to deploy a pre-packaged attack. Am I missing something?
The fact that the new private key is in memory and the malware can use it to craft and then sign the restore image, that will be restored normally. Damn, the malware can bypass this altogether and generate the pair on the fly, sign the image, and store the public key in the appropriate place.
Hibernation doesn't work? Posted Sep 14, 2012 16:12 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
> Damn, the malware can bypass this altogether and generate the pair on the fly, sign the image, and store the public key in the appropriate place.
No it can't - you can't set boot services variables from within the OS.
Hibernation doesn't work? Posted Sep 14, 2012 16:51 UTC (Fri) by hummassa (subscriber, #307) [Link]
If the kernel HAS the private key, and will check the signature against a boot service variable-located public key, the malware can sign the restore image with the private key. If the public key is stored anywhere else, the malware can overwrite it with his own public key. Anyway, the malware can boot the compromised system by crafting a restore image, signing it and forcing a reboot. All that WITHOUT asking the user to do anything. And all that with the user thinking that his boot-time environment is perfectly safe.
Hibernation doesn't work? Posted Sep 14, 2012 17:08 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
The malware cannot overwrite the public key. The rest is, like I said, not the attack that we're trying to prevent here. Being able to run code in the kernel means that you can alter kernel state. That's why we're focusing on making it difficult to run code in the kernel.
Hibernation doesn't work? Posted Sep 14, 2012 17:19 UTC (Fri) by raven667 (subscriber, #5198) [Link]
This whole line of reasoning seems wrong. If there is malware running on the system when it is hibernated then the malware will be written to the hibernate volume and restored with it so the system is no more or less compromised, it all seems like a no-op. If the system does not have malware and uses some signing system with a public key in firmware generated on boot and a private key in the kernel which is not written to the hibernate volume then I don't see how one could modify the hibernate volume without being detected.
Even in the case where there is malware running on a system you should still be able to perform a clean boot with verification up to the point where your trust chain stops. Then the problem is post-boot (re)compromise and you can use many tools to combat that, if you can get them into your trusted base.
Hibernation doesn't work? Posted Sep 14, 2012 19:48 UTC (Fri) by hummassa (subscriber, #307) [Link]
> If there is malware running on the system when it is hibernated then the malware will be written to the hibernate volume and restored with it so the system is no more or less compromised, it all seems like a no-op.
No, because crafting a special restore-image/swapfile and forcing a reboot you can, for instance, boot a whole another OS altogether, totally bypassing the "secure" boot nonsense.
> Even in the case where there is malware running on a system you should still be able to perform a clean boot with verification up to the point where your trust chain stops. Then the problem is post-boot (re)compromise and you can use many tools to combat that, if you can get them into your trusted base.
No, because at that point the "phantom" OS can just behave like the "original" OS with a rootkit, rendering symptoms of infection invisible to the original OS.
Suppose the machine is running Windows8, ok? The malware prepares an image that will run some OS that will run Windows8 in an emulated, censored environment that can make a lot of bad things, invisibly to W8. Everytime W8 tries to reboot, it goes thru the hoops again and boots instead the other OS.
Hibernation doesn't work? Posted Sep 14, 2012 20:59 UTC (Fri) by raven667 (subscriber, #5198) [Link]
I don't think your points actually disagree with my points, I think we are actually in agreement on the technical issues.
- Hibernate images are outside the trust boundary because they contain arbitrary code
I don't think Secure Boot attempts or claims to solve the problems of running arbitrary code it only allows you to build a beachhead, ideally an execution chain all the way until user space starts that can't be modified without throwing alarms. That means that re-compromise of a system needs to happen via the normal startup sequence and tools started before the malware can run can potentially block the malware. Once the malware runs it's Blue Pill all the way, you can't trust anything on the system after that.
Hibernation doesn't work? Posted Sep 14, 2012 22:56 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
> No, because crafting a special restore-image/swapfile and forcing a reboot you can, for instance, boot a whole another OS altogether, totally bypassing the "secure" boot nonsense.
Yes, and if you can get private information out of the kernel then you can probably also get private information *into* the kernel, and then you can just make the kernel execute your other OS without doing anything with hibernation.
Hibernation doesn't work? Posted Sep 15, 2012 2:03 UTC (Sat) by raven667 (subscriber, #5198) [Link]
Or run it in a VM, Secure Boot isn't designed to protect from a rogue hypervisor. Secure Boot is a fairly basic tool and only covers a small part of the security process, maybe you were expecting something more?
Hibernation doesn't work? Posted Sep 13, 2012 10:09 UTC (Thu) by etienne (subscriber, #25256) [Link]
What happens when a Windows user hibernate his PC, boots Linux which may change the hibernation image, power downs and then restart Windows hibernation image?
I also note that having multiple Linux distributions on a single PC will be a problem.
Hibernation doesn't work? Posted Sep 13, 2012 13:27 UTC (Thu) by pjones (subscriber, #31722) [Link]
> I also note that having multiple Linux distributions on a single PC will be a problem.
There's nothing with our Secure Boot implementation that prevents this from working exactly as it does now on UEFI systems.
Hibernation doesn't work? Posted Sep 13, 2012 15:34 UTC (Thu) by cortana (subscriber, #24596) [Link]
I too will miss hibernation. I would like to know it is implemented in Windows 8.
LSS: Secure Boot Posted Sep 13, 2012 6:02 UTC (Thu) by kugel (subscriber, #70540) [Link]
So it seems to me a number of unique and useful get disabled to appease Microsoft.
So we do depend on Microsoft, don't we?
LSS: Secure Boot Posted Sep 13, 2012 7:31 UTC (Thu) by skitching (subscriber, #36856) [Link]
This only affects very non-technical Linux users who aren't able to enter the UEFI config screens and disable secure boot on their new computer.
However those users aren't likely to want to use kexec anyway. For them to lose hibernation might be somewhat more disappointing..if it worked.
And of course such people are typically going to have someone else install Linux for them - so secure boot can be turned off by the person doing the install.
LSS: Secure Boot Posted Sep 13, 2012 7:38 UTC (Thu) by skitching (subscriber, #36856) [Link]
The article mentions "signing the bootloader". However GRUB2 isn't a monolithic application; it loads modules from the filesystem. So are all the files in /boot/grub going to be individually signed? If not, then can't I create a new module in /boot/grub, and modify grub.cfg to load it, and thereby take control of the "signed" bootloader?
And how will this affect WUBI, where the Microsoft bootloader is used to boot into Linux? That approach is specifically targeted at non-technical Windows users, ie those least likely to disable secure boot in the firmware.
What are the implications if secure boot is disabled in the firmware, then Windows is booted? Will windows refuse to run (or some programs, eg Microsoft's Genuine Windows validation checks)? If so, can a custom bootloader be used to "lie" to windows about secure-boot being enabled when it actually is not?
LSS: Secure Boot Posted Sep 13, 2012 13:29 UTC (Thu) by pjones (subscriber, #31722) [Link]
In this case we're basically building grub2 as a monolithic efi binary in the package, and the module loader is disabled for additional modules. The monolithic binary is then signed.
LSS: Secure Boot Posted Sep 13, 2012 14:44 UTC (Thu) by robertm (subscriber, #20200) [Link] Hey look at that, more features gone in this rush to bend over backwards to accommodate Microsoft's anti-software-freedom initiative.
LSS: Secure Boot Posted Sep 13, 2012 17:48 UTC (Thu) by pjones (subscriber, #31722) [Link]
If there's something we're not building in to that grub2 image that you actually need for something supported by our OS, then it's perfectly reasonable to file a bug to include that module so it'll be fixed. If you want more modules for something that's not supported by our OS, you have several options. They include: 1) paying VeriSign $99 to get your own access to the signing service, 2) putting your own keys in the firmware and signing your own build yourself, and 3) disabling secure boot, which will allow grub2 to load modules again. Any inconvenience is unfortunate, but any of these should be sufficient to avoid whatever problem you may have. You still have all the freedoms you had before, including the freedom to have malware install "bootkits, if you want them.
LSS: Secure Boot Posted Sep 13, 2012 18:23 UTC (Thu) by hummassa (subscriber, #307) [Link]
> You still have all the freedoms you had before, including the freedom to have malware install "bootkits, if you want them.
IOW: NOTHING will, in the end, impede malware to install bootkits/jailbreaks. :-D
This way, people are doing all this work to appease Microsoft, under risk of making people think that Secure Boot (TM) is actually secure, which will after all DIMINISH the security status of potential-botnet-drones around the world. Ah, let's not forget the privacy/liberty implications. Hmm...
LSS: Secure Boot Posted Sep 13, 2012 19:04 UTC (Thu) by pjones (subscriber, #31722) [Link]
Well, it's certainly not secure if you turn it off. I don't think anybody is under that illusion. But the issue you're taking here is that the status quo remains: if you do something your OS doesn't support, your OS vendor isn't going to support you. You're still free to do it, and can even do it securely - though it will require more effort from you. If you choose to disable security features instead of putting that effort in, you'll not be able to take advantage of the added security.
LSS: Secure Boot Posted Sep 13, 2012 23:51 UTC (Thu) by hummassa (subscriber, #307) [Link]
> If you choose to disable security features instead of putting that effort in, you'll not be able to take advantage of the added security.
You know, you kind of proved my point. There is NO added security, because you can always find another vulnerability in the kernel, and use that to escalate past the bootloader (like creating crafted restore-from-hibernation images) and people will act under the illusion that their systems have "added security" when they aren't, which, as I mentioned, diminishes the overall security. For instance, the crafted restore image could allow running unsigned or signed-by-the-malware-author executables or substitute key libraries.
And again, that is my point: "Secure Boot" == "fake security", which is far worse than "no security".
And worse yet: "Secure Boot" == "you are running a signed O.S. (with Defective by Design implications and I Can Phone Home and invade your privacy implications)" OR "you are running a signed (bla bla) but COMPROMISED by malware O.S."...
LSS: Secure Boot Posted Sep 14, 2012 12:05 UTC (Fri) by jeroen (subscriber, #12372) [Link]
The only reason GRUB 2 actually has loadable modules is that it is very difficult to load a big binary reliably with MBR booting. With UEFI that problem is gone and we can just load a monolithic GRUB. There is no reason left to keep using loadable modules with its error-prone selecting of which modules are needed at boot time to load the other modules.
LSS: Secure Boot Posted Sep 14, 2012 14:49 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]
Right, I have seen the 'grub rescue>' prompt on UEFI way too many times already. (GRUB still looks up GPT partitions by index, not UUID, but repartitioning tools - or at least parted - don't seem to maintain numbering in GPTs.)
LSS: Secure Boot Posted Sep 14, 2012 20:50 UTC (Fri) by idupree (subscriber, #71169) [Link]
gdisk (gptfdisk) maintains partition numbering. It's parted that likes to change it.
updates Posted Sep 13, 2012 9:41 UTC (Thu) by micka (subscriber, #38720) [Link]
I'm wondering how the key database (those called db and dbx in the article) are updated.
Is the OS able to trigger that update ? Otherwise, I can't see how a key can even be blacklisted.
Another question : if you install your own kek, don't you need to also sign your windows kernel (for example in case of a dual-boot system) ?
And in case of a dual-boot, what happens for example if an update triggered by an OS (in case the first answer is affirmative) blacklists the second one ? How do i upgrade the second one ?
Oww, questions keep piling : What happens if a kek is broken or leaked ? Or a pk ?
Are firmware writer "trusted" to write bug-free firmwares ?
updates Posted Sep 13, 2012 13:36 UTC (Thu) by pjones (subscriber, #31722) [Link]
> I'm wondering how the key database (those called db and dbx in the article) are updated. Is the OS able to trigger that update ? Otherwise, I can't see how a key can even be blacklisted.
It's stored in a variable, and there's an "append only" update to it. The arguments to the /call/ to update it must be signed by a key that's in KEK, which will typically include the platform vendor and MS. So basically we get updates from the CA and apply them.
Of course as a user you can completely disable that if you want, and this is still more of "the plan" than "the implementation" at this point.
> Oww, questions keep piling : What happens if a kek is broken or leaked ? Or a pk ?
Then your vendor ships a firmware update (which is signed by a different PK pair) that removes that key from PK/KEK and adds a new one in. If you're very lucky they don't trash everything else that's there.
> Are firmware writer "trusted" to write bug-free firmwares ?
We certainly expect a time period after the Windows 8 launch in which some exploits are found, but if vendors act responsibly it should taper off as bugs are fixed in individual firmwares and the reference implementation from which they are derived. That's already begun happening, actually.
updates Posted Oct 5, 2012 10:29 UTC (Fri) by oak (guest, #2786) [Link]
What happens when the blacklist key database gets full?
updates Posted Oct 5, 2012 13:59 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
It's possible to push out an update that wipes the existing blacklist and instead revokes the key at the root of that trust. That would be inconvenient (everyone with valid signed material would need to get it resigned) but possible.
updates Posted Oct 5, 2012 15:28 UTC (Fri) by raven667 (subscriber, #5198) [Link]
The only code for which key material is in EFI is code that is run from EFI, firmware and bootloaders, which doesn't get updated very often as a practical matter. Revocations are likely to be rare. Drivers and other OS code which is more likely to have vulnerabilities and patches is handled by whatever OS specific mechanisms each OS decides on.
LSS: Secure Boot Posted Sep 13, 2012 17:11 UTC (Thu) by linuxjacques (subscriber, #45768) [Link]
"... hibernation will need to be disabled. That's fine, "because it doesn't really work in Linux anyway", he said."
This feature doesn't work (in all cases), so it's OK to remove it.
Beautiful logic.
LSS: Secure Boot Posted Sep 13, 2012 21:04 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
It means it's a lower priority. The aim is obviously to find a solution that doesn't reduce the functionality, but given the choice between supporting a pressing and immediate use-case and supporting something that's so poorly tested that it was causing filesystem corruption on anything with Intel graphics for several releases, the choice is fairly obvious.
LSS: Secure Boot Posted Sep 14, 2012 10:17 UTC (Fri) by willnewton (subscriber, #68395) [Link]
The key words in that sentence are "Intel graphics". Hibernation works perfectly well for me and seems a valuable feature.
LSS: Secure Boot Posted Sep 16, 2012 15:42 UTC (Sun) by mathstuf (subscriber, #69389) [Link]
Hmm…fun. I've been hibernating my netbook which has Intel graphics and have not seen/noticed any failures. I'll be doing a fsck next boot :) .
LSS: Secure Boot Posted Sep 13, 2012 19:10 UTC (Thu) by iabervon (subscriber, #722) [Link]
It seems to me that, if a user can install their own key in the shim, they could run all sorts of malware, like Windows 8 (once Windows 9 comes out), simply by signing it. So the assumption has to be that, if the user has put their key in the shim, the shim is off the hook as far as anything that further that gets run is concerned, so long as it is, in fact, signed by the user's key. As such, all of the kernel changes aren't actually important for Secure Boot itself, but rather that, if you buy Secure Boot's premise and want to enforce those policies, you'll want to have a kernel that doesn't violate them, and you probably want a configuration option that keeps you from accidentally enabling something that isn't trying to enforce them.
LSS: Secure Boot Posted Sep 13, 2012 19:58 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
How would you accidentally enrol a key?
LSS: Secure Boot Posted Sep 13, 2012 21:00 UTC (Thu) by iabervon (subscriber, #722) [Link]
You wouldn't accidentally enroll a key, but Microsoft might not like what you signed and were able to boot using a key you'd enrolled. The existence of a shim like this means that it will be possible to use Windows versions on Secure Boot hardware after Microsoft wants to EOL them. From the point of view of the CA evaluating the trustworthiness of the shim, there's not really any difference between a user signing a kexec-enabled kernel and using it to run Windows XP and a user signing Windows XP and booting it from the shim.
LSS: Secure Boot Posted Sep 13, 2012 21:06 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
It's a Microsoft requirement that a physically present end-user be able to enrol arbitrary keys, so they're not going to object.
LSS: Secure Boot Posted Sep 16, 2012 15:45 UTC (Sun) by mathstuf (subscriber, #69389) [Link]
> …so they're not going to object.
<pedantic>…via that argument.</pedantic> ;)
LSS: Secure Boot Posted Sep 13, 2012 21:23 UTC (Thu) by nikarul (subscriber, #4462) [Link]
It seems that Linux developers aren't the only ones busy adapting to Microsoft's new security requirements: http://www.bbc.com/news/technology-19585433
tl;dr: Apparently some malware authors are targetting PC production lines, casting a shadow on the effectiveness of SecureBoot.
LSS: Secure Boot Posted Sep 13, 2012 22:04 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
Secure Boot means that you need to attack the firmware provisioning process rather than just the pre-installed image. It's still an extra obstacle even if you're doing it in the factory.
LSS: Secure Boot Posted Sep 13, 2012 23:15 UTC (Thu) by nikarul (subscriber, #4462) [Link]
It seems to me such an attacker could introduce an image that "looks" good during tests but is in fact compromised, or even subvert the verification process itself. And even if it does mean they have to take the extra step of attacking the firmware provisioning, this indicates to me its going to be extremely difficult to stop a determined attacker (as is often the case in security).
So at the end of the day, it may help deter attacks, but it remains to be seen whether its worth the extra hassle.
LSS: Secure Boot Posted Sep 14, 2012 0:04 UTC (Fri) by hummassa (subscriber, #307) [Link]
> So at the end of the day, it may help deter attacks, but it remains to be seen whether its worth the extra hassle.
The problem isn't even the "extra hassle".
It's the possibility of privacy-invading measures PLUS the false sense of security this will put on users.
LSS: Secure Boot Posted Sep 14, 2012 0:01 UTC (Fri) by hummassa (subscriber, #307) [Link]
As it was mentioned, this is not entirely true (unless hibernation or even suspension is disabled) because even if you have to sign the swap file or the restore image with a one-time-only key, the mentioned key has to be on memory, where malware can find it and use it to redo and re-sign the swapfile/restore-image, trigger a reboot, and open the door for a larger exploit to come in (all while it is running a certified, signed-with-microsoft-approved-key OS that can even be Windows).
Repeating myself -> "Secure Boot" == "fake security", much worse than no security at all.
The only thing that will come certainly from Secure Boot is invasions of privacy and consumer rights violations in form of DRM.
LSS: Secure Boot Posted Sep 14, 2012 0:14 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
... which is, as mentioned, not the attack that we're especially worried about.
LSS: Secure Boot Posted Sep 14, 2012 11:14 UTC (Fri) by hummassa (subscriber, #307) [Link]
> ... which is, as mentioned, not the attack that we're especially worried about.
Yea, what people implementing "Secure" Boot &c seem to be especially worried about is to enable exactly the opposite to what Corbet described in this week's LWN first article:
> It is time to pay more attention to the copyright maximalist agenda and push back. Fair use rights must be asserted where they exist and created where they don't. The business concerns of the entertainment industry should not drive the design of our systems, our networks, and our international agreements.
...
> the system we use to ensure the freedom of our software can also take away our freedom on other fronts if we do not pay attention. A world where our right to express ourselves is moderated by somebody else's software — usually very proprietary software — is not what we have been working for.
Enough said.
Boot signing -- "secure" boot -- has a deep flaw: that (practically) all software is exploitable to do something it was not meant to do, and that it will be exploited by people with enough to gain by it.
LSS: Secure Boot Posted Sep 14, 2012 13:07 UTC (Fri) by corbet (editor, #1) [Link] Hmm... secure boot-like technologies certainly can play into the copyright maximalist agenda. It's not really a DRM technology, though, it's more of a general control technology — who has control over the systems we think we own? I believe the folks working on making Linux work in the secure environment are doing their best to ensure that the owners have control over their own systems. Secure boot can be used to do unpleasant things; it can also (at least try to) protect your system against the next Sony-style rootkit.
What everyone needs to know Posted Sep 15, 2012 22:57 UTC (Sat) by CChittleborough (subscriber, #60775) [Link]
To understand the whole Secure-Boot-and-Linux kerfuffle at a high level, all you need to do is read the previous comment carefully.
(Notice that secure boot is an attempt to solve a real problem, not some dastardly plot by mustache-twirling villains, and has real advantages as well as real disadvantages.)
Changing topic: let's all try to avoid making Matthew Garrett's life any harder. Let's all be grateful he's working on this stuff, because we need his work.
LSS: Secure Boot Posted Sep 22, 2012 23:15 UTC (Sat) by ballombe (subscriber, #9523) [Link]
Unless Sony get its virus signed with the microsoft key.
LSS: Secure Boot Posted Sep 23, 2012 12:05 UTC (Sun) by raven667 (subscriber, #5198) [Link]
I don't think there is an incentive for them to do that, the money isn't any where near good enough.
LSS: Secure Boot Posted Sep 23, 2012 14:16 UTC (Sun) by mjg59 (subscriber, #23239) [Link]
I don't understand what you're suggesting. Any binary can be revoked, regardless of who signed it.
LSS: Secure Boot Posted Sep 14, 2012 13:07 UTC (Fri) by kugel (subscriber, #70540) [Link]
I'm wondering why hibernation is even an issue.
Don't you need physical access to the machine to subvert the hibernation file? After all, the machine must be off so no running computer program on the hibernated machine can do it.
And the physical present user is trusted (and a physically present attacker can simply turn off secure boot), so to my understanding hibernate shouldn't be affected by secure boot.
Also: I'm fairly sure Windows will still have hibernate. If that's true then Microsoft would seem to agree with me thinking it's not an issue.
LSS: Secure Boot Posted Sep 14, 2012 14:04 UTC (Fri) by hummassa (subscriber, #307) [Link]
> Don't you need physical access to the machine to subvert the hibernation file?
No, a piece of malware can create a subverted hibernation file and force-reboot the machine.
LSS: Secure Boot Posted Sep 15, 2012 8:15 UTC (Sat) by kugel (subscriber, #70540) [Link]
Thanks. I have never seen this kind of attack
LSS: Secure Boot Posted Sep 15, 2012 9:59 UTC (Sat) by khim (subscriber, #9252) [Link] This attack only makes sense in secure-boot enhanced world. In any other world it's easier to just replace the kernel if you've reached the state where you can do raw disk access.
LSS: Secure Boot Posted Sep 21, 2012 4:11 UTC (Fri) by cyanit (guest, #86671) [Link]
Again, WHAT THE FUCK is the threat model?!?
As far as I can tell, you can just run Windows in a fullscreen qemu instance with full access to the hard disk, and the user will think it's the legitimate version of Windows...
Is access to Windows partitions on disk somehow blocked by the kernel?
If so, why not just have the BIOS and SATA controller cooperate to do that (i.e. irrevocably disable access to a disk range until reboot), thus allowing arbitrary software to run without issues?
Then, what's the point of having all this for Linux, when root can just add something in /etc/init.d that takes over the system silently, and any user can do the same using autostart?
Also, do you REALLY expect all Linux code (esp. in drivers) to not contain a ton of security holes exploitable by a root user, considering this was never thought to be a problem?!?
Have you spent the millions (or billions) of man hours needed to do a thorough review of the Linux code and mathematically prove that there are no holes?
Is this all just for show because otherwise Microsoft wouldn't sign the bootloader?
Because the way it is described, it provides no real security whatsoever, at all.
LSS: Secure Boot Posted Sep 21, 2012 4:49 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
So you run all your code as root?
LSS: Secure Boot Posted Sep 21, 2012 5:18 UTC (Fri) by raven667 (subscriber, #5198) [Link]
Do you know of any thing that would prevent the scenario where a compromised system modifies the boot such that you boot into a trusted boot loader and trusted kernel which then runs the original OS image as a VM and has its way with it. AFAIK Secure Boot doesn't protect a VM from its hypervisor.
LSS: Secure Boot Posted Sep 21, 2012 5:24 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
No, if you can launch a sufficiently convincing hypervisor from within Linux then you can win. As yet I haven't seen any examples of a sufficiently convincing hypervisor, but I look forward to seeing what people come up with.
LSS: Secure Boot Posted Sep 21, 2012 13:18 UTC (Fri) by raven667 (subscriber, #5198) [Link]
I suppose one could make it deliberately difficult to make such subterfuge difficult to be convincing by including splash screens or other visual indicators of what is going on. There is also the fact that such an attack will have to carry around a lot of code, tens of megabytes or more, making it unwieldy in many environments.
LSS: Secure Boot Posted Sep 21, 2012 23:08 UTC (Fri) by nix (subscriber, #2304) [Link]
I doubt it needs to be very convincing to convince enough people to be useful to attackers. Heck, the less convincing it is the better it may be for them -- as with Nigerian scams, it helps their marks self-select for stupidity.
LSS: Secure Boot Posted Sep 21, 2012 5:13 UTC (Fri) by raven667 (subscriber, #5198) [Link]
> What is the threat model?
The threat model that Secure Boot is intended to help thwart is fairly simple, it makes no claims about OS security or vulnerabilities in the kernel or rootkits in the running system, it's only claim is that you can boot into the kernel without the possibility of a rootkit already having been planted in the firmware or bootloader. The rest is whatever scheme you dream up for the OS.
What people are using this tool for is to implement integrity checking in the kenrel that can't be easily and persistently subverted. It didn't make a lot of sense to invest heavily in integrity checking before when the underlying layers were so easy to subvert. Since you can't subvert any of the persistant storage without breaking the signatures then your malware has to be started using normal OS means and you can use standard OS tools and anti-malware to detect and clean it out before it runs. The anti-malware can have its own integrity checking on updates so that a compromised system can be cleaned just by rebooting it. The malware can't subvert the anti-malware but it can potentially block updates although this can be easily detected.
The concern with the security of the boot loader is that there are going to be a number of signed boot loaders from various vendors out in the wild that will all be trusted by every machine by default. If those boot loaders can be configured to run arbitrary code then any one of them could be used as a shim to load malware before the kernel and anti-malware has a chance of loading which drives a particular design where the boot loader does some sort of authorization checking as to what kernel image it is booting.
None of this protects an OS which is running in a VM from the hypervisor although it still has the same protections from malware inside the OS. As far as I know the threat model of Secure Boot can't handle the case where you Secure Boot into a legitimate bootloader and legitimate kernel which then boots the OS as a guest in a VM. It'd be an interesting proof of concept to see how one would modify a compromised running system to include booting a hypervisor without breaking the system in some way. Maybe someone who knows more than me can help answer this question, mjg59?
LSS: Secure Boot Posted Sep 21, 2012 14:56 UTC (Fri) by ballombe (subscriber, #9523) [Link]
It is easily predictable that the day Windows 8 is released, the windows boot loader will be compromised to boot arbitrary code. So one get 24h of protection, then what ?
LSS: Secure Boot Posted Sep 21, 2012 15:14 UTC (Fri) by raven667 (subscriber, #5198) [Link]
I'm sorry but that is pure BS. By what mechanism do you think this is likely? Win8 has been out for free for anyone to test for months now and I haven't seen anything even hinting at a compromise published. The boot loader is a small piece of code and auditing it is a completely tractable problem. Maybe you haven't noticed but MS has gotten religion about security in the last decade and has some of the most thorough auditing of any software project.
This is just a fancier way to make the statement "Linux rulez and MS droolz" which isn't a useful statement.
LSS: Secure Boot Posted Sep 21, 2012 18:33 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
Then the signature is revoked, blacklist updates are pushed out through Windows Update and Microsoft have to press a lot of new media.
LSS: Secure Boot Posted Sep 21, 2012 23:12 UTC (Fri) by nix (subscriber, #2304) [Link]
Well, that's OK for Microsoft because it'll presumably push out an update to its bootloader to no longer be a blacklisted one at the same time.
Shame if it decides to blacklist the Fedora key. All of a sudden every single secure-booted instance of one of its competitors that is dual-booted with Windows has stopped working! And there is, as far as I can see, no easy way to recover. (Maybe Fedora could make a boot CD image available that would update the bootloader, splash it in big letters all over fedoraproject.org, and hope that everyone affected thinks to look there. *shiver*.)
(I have 'secure boot' on this new system of mine. I have, of course, turned it off. The last thing I need is a way of rendering my system magically unbootable. I have enough of those as it is!)
LSS: Secure Boot Posted Sep 22, 2012 22:14 UTC (Sat) by raven667 (subscriber, #5198) [Link]
Personally I think that this risk is a reason that the major Linux vendors such as RedHat, Ubuntu, Debian and SuSE should work together and with OEMs to make sure they have their own keys in the root of the firmware. This will cost millions of dollars and be an ongoing cost to keep the secure signing infrastructure but it provides a measure of independence. A related solution is to work with Linux-friendly VARs to make branded devices and try to get similar market share and margins as Apple does with their Mac hardware. This might be harder than Apple though because Linux will never be restricted to run on only branded boutique hardware so its revenue stream is not protected.
LSS: Secure Boot Posted Sep 23, 2012 14:22 UTC (Sun) by mjg59 (subscriber, #23239) [Link]
That doesn't help a great deal - if Microsoft have an entry in KEK then they're in a position to blacklist Linux binaries even if there's a more generic Linux key present as well.
LSS: Secure Boot Posted Sep 22, 2012 15:55 UTC (Sat) by ballombe (subscriber, #9523) [Link]
So a bug to windows update could be used to upgrade the boot loader to a vulnerable one ? This increases the attack surface somewhat.
LSS: Secure Boot Posted Sep 22, 2012 16:05 UTC (Sat) by mjg59 (subscriber, #23239) [Link]
> So a bug to windows update could be used to upgrade the boot loader to a vulnerable one ?
No.
LSS: Secure Boot Posted Sep 23, 2012 21:21 UTC (Sun) by nix (subscriber, #2304) [Link]
But if Microsoft were penetrated and their key stolen... correction, not if: *when*.
LSS: Secure Boot Posted Sep 23, 2012 21:37 UTC (Sun) by raven667 (subscriber, #5198) [Link]
I think you underestimate how easy defense is compared to offense when protecting keys. Any individual subroot can be revoked and replaced via a secure update, the root key hardly ever needs to be used and can be kept offline and safe against anything short of a Mission Impossible type attack.
LSS: Secure Boot Posted Sep 23, 2012 22:32 UTC (Sun) by nix (subscriber, #2304) [Link]
Yeah. Because they'll never make any key management mistakes, there'll be no social engineering, no industrial espionage, no simple burglary -- after all, nobody at all has any reason to want to get hold of a bit of data which could kill huge numbers of Windows boxes at a stroke, no sir.
(Remember, the attackers only have to be lucky once.)
LSS: Secure Boot Posted Sep 23, 2012 22:46 UTC (Sun) by hummassa (subscriber, #307) [Link]
YES, Please.
People imagining these schemes forget that crypto keys are leaked and recovered all the time IRL. And that if you are not a government, you can always use the wrench method. https://xkcd.com/538/
LSS: Secure Boot Posted Sep 24, 2012 3:50 UTC (Mon) by raven667 (subscriber, #5198) [Link]
I'm sorry, are you asserting that Verisign and other major entities are leaking their root keys all the time? We're not talking about passwords for your disk encryption, we're talking about real professionally managed CAs. If some vendors signing infrastructure were compromised to sign arbitrary binaries, like the DigiNotar incident, then that subroot can be blacklisted without affecting other vendors. The root has to sign so very few things that it has very little attack surface area.
LSS: Secure Boot Posted Sep 24, 2012 8:41 UTC (Mon) by nix (subscriber, #2304) [Link]
Several major keys from various CAs have been compromised already: more will come. If this scheme really gets going, these keys will be a *major* target -- do you really imagine that nobody with sufficient resources to get a copy won't try? (Perhaps, if they are sufficiently clever and lucky, they might even arrange to get the *only* copy: that'd be amazingly useful to extort money from MS with, though very hard since I'm sure MS have lots of backups).
LSS: Secure Boot Posted Sep 24, 2012 0:36 UTC (Mon) by mjg59 (subscriber, #23239) [Link]
If you wanted to attack Windows in the current non-Secure Boot world, the single most valuable thing would be the ability to sign arbitrary code as a valid Windows driver. But, somehow, nobody's managed to get hold of Microsoft's key. Now, to be fair, part of that's because vendor keys have been easier to get hold of (see Stuxnet), but even so having the Microsoft key would be an advantage - if you've got the root then there's no process for revoking existing installations. And yet it hasn't been leaked.
LSS: Secure Boot Posted Sep 24, 2012 8:41 UTC (Mon) by nix (subscriber, #2304) [Link]
True enough. Still, the paranoid in me sees a billion or so eggs landing in one basket, and thinks 'this is *wrong*, this is *stupid*'.
LSS: Secure Boot Posted Sep 24, 2012 9:07 UTC (Mon) by hummassa (subscriber, #307) [Link]
> Now, to be fair, part of that's because vendor keys have been easier to get hold of
No, that's not "part of that". s/part of //. The security process stops at the easier way to the threat to get what he wants. Threats can and will leak keys from Microsoft (remember NT4/XP source code?) if that's the easier way of signing device drivers. As vendor keys are currently easier to get hold of, and they do the job just fine (because there are a lot of vendors and IIRC once the keys were revoked another version of Stuxnet signed with another key popped up) the threats don't need to go after MS.
Security = you don't have to outrun the beast, you have to outrun the friend beside you.
LSS: Secure Boot Posted Sep 24, 2012 1:04 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
All large companies use HSMs (Hardware Security Modules) to sign keys. They are guaranteed to be unhackable in _practice_, and that guarantee is backed by a very large sum that manufacturer would pay you in case of a breach.
LSS: Secure Boot Posted Sep 24, 2012 8:42 UTC (Mon) by nix (subscriber, #2304) [Link]
So... if MS's key gets compromised and a huge proportion of the world's machines are rendered unbootable... MS gets compensation? That's reassuring.
LSS: Secure Boot Posted Sep 24, 2012 18:24 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
Well, the world's root DNS zone is also signed by a key in a HSM.
LSS: Secure Boot Posted Sep 25, 2012 8:20 UTC (Tue) by alonz (subscriber, #815) [Link] Yeah, that sure is reassuring. </sarcasm>Have you, perhaps, seen this? Or this (as applied to HSM's, considering the incompetence apparent from the first link)? I don't think HSM's are as magic as people expect them to be…
LSS: Secure Boot Posted Sep 25, 2012 8:29 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]
Naw, HSMs are protected against trivial attacks like this. I know for a fact that a certain large HSM from a company which names begins with "T" has an intermediary buffer that holds data after the encryption for a random (and quite significant) amount of time before transmitting it to client.
|
|||||||||||||