Signing ELF binaries
As part of the effort to support UEFI secure boot on Linux, Matthew Garrett proposed a number of restrictions on kernel features so that signed kernels could not be used to circumvent secure boot. Many of those restrictions were fairly uncontroversial, but disabling kexec() was not one of them, so it was dropped in a later patch set. At the time, there was discussion of how to support kexec() in a secure boot world; Vivek Goyal recently posted an RFC patch set to start down that path.
The kexec() system call is used to replace the running kernel with a different program. It can be used to boot a new kernel without going through the BIOS or other firmware, which is exactly what gets it into trouble for secure boot. A running kernel that has been verified by the secure boot mechanism (and thus is trusted) could boot any unsigned, unverified kernel by way of kexec(). The concern is that it would be used to boot Windows in an insecure environment while making it believe it was running under secure boot—exactly what secure boot is meant to prevent. That, in turn, could lead to Linux bootloaders getting blacklisted, which would make it more difficult to boot Linux on hardware certified for Windows 8.
Goyal's patches add the ability to cryptographically sign ELF executables, then have the kernel verify those signatures. If the binary is signed and the signature verifies, it will be executed. While the patch does not yet implement this, the idea is that a signed binary could be given additional capabilities if it verifies—capabilities that would enable kexec(), for example. If the binary is unsigned, it will always be executed. Only if a signed binary fails to verify does it get blocked from execution.
The patches contain a signelf utility that puts a signature based on the private key argument into a .signature ELF section. The signature is calculated by hashing the contents of the PT_LOAD ELF segments, then cryptographically signing the result. It is based on the module signing code that was recently added to the kernel, but instead of just tacking the signature on at the end of the binary, it puts it into the .signature section.
Since any shared libraries used by an executable cannot be trusted (so far, at least, there is no mechanism to verify those libraries), only statically linked executables can be signed and verified. The patches do not stop binaries from using dlopen() directly, however, so Goyal said binaries that do so should not be signed. He is targeting the /sbin/kexec binary that is used to launch kdump, so that users can still get crash dumps, even in a secure-boot-enabled system, but there are other possible uses as well.
When the binfmt_elf loader in the kernel detects a binary with the .signature section, it locks the pages of the executable into memory and verifies the signature. Goyal is trying to avoid situations where the binary is modified after the verification has been done, which is why the executable is locked into memory. If the signature does not verify, the process is killed; unsigned binaries are simply executed as usual.
Beyond just adding the capability for kexec(), there are some other pieces of the puzzle that aren't addressed in the patches. The biggest is the need to disable ptrace() on signed binaries. Otherwise, the signed binary could be subverted in various ways—changing the binary passed to kexec(), for example. In addition, the "to do" list has some key and keyring related issues that need to be sorted out.
There is already a mechanism in the kernel to verify the signature of various kinds of files, though. The Integrity Measurement Architecture (IMA) appraisal extension that was added in Linux 3.7 does much of what Goyal needs, as was pointed out by IMA maintainer Mimi Zohar. While the integrity subsystem targets measuring and verifying the whole system, it already does most of the kinds of signature operations Goyal is looking to add. On the other hand, features like disabling ptrace(), locking the binary into memory, and setting capabilities based on signature verification are well beyond the scope of the integrity subsystem. Goyal is currently looking into using the integrity features and adding secure-boot-specific features on top.
Losing the ability to use kexec() on secure boot systems would be
rather painful. While Garrett's patches do not actually make that change
(because of the outcry from other kernel developers), any distribution that
is trying to enable secure boot is likely to do so. Finding a way to
support that use case, without unduly risking the blacklist wrath of
Microsoft, would be good.
| Index entries for this article | |
|---|---|
| Kernel | Security/UEFI secure boot |
Posted Jan 17, 2013 8:41 UTC (Thu)
by kugel (subscriber, #70540)
[Link] (2 responses)
how can kexec trick Windows into believing it's in secure boot environment (SBE) while it's not?
If Linux boots in SBE, then Windows is also in the SBE (Windows will verify this, no?). If Linux boots in non-SBE and kexecs Windows, then Windows verification fails and it knows it's in non-SBE.
Posted Jan 17, 2013 10:48 UTC (Thu)
by keeperofdakeys (guest, #82635)
[Link]
Posted Jan 17, 2013 12:42 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link]
Posted Jan 17, 2013 21:16 UTC (Thu)
by jimparis (guest, #38647)
[Link] (2 responses)
My understanding is that's not true; secure boot has nothing to do with any integrity checking that Windows might want to perform. Windows (the software) can't ask "was I securely booted?" because you can just virtualize it and lie. Instead, attestation is left up to things like TPM / TCG, which can't be virtualized because they hold secret keys.
Secure boot approaches from the other direction, in that you (the user) can trust that the hardware only booted software that was signed. If Linux can boot an unsigned Windows, Microsoft would view that as a breach of their security chain and react by revoking the keys that were used to boot Linux in the first place.
Posted Jan 18, 2013 6:31 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
I'm not sure that really works out in practice because there are all sorts of ways to get an OS up and running in an "insecure" manner, running in a VM or other contrived environment for example. This isn't about protecting against compromise in any arbitrary case, it's about a very specific case of booting the primary OS on bare metal. You could certainly "secure boot" a small core system, windows or linux or whatever, and use that to make a contrived environment for booting your arbitrarily compromised OS (linux or windows or whatever) and I think this case is out side the scope and threat model that Secure Boot is intended to address.
You can't win them all 8-)
Posted Jan 18, 2013 11:19 UTC (Fri)
by etienne (guest, #25256)
[Link]
I.e. that it is a lot more difficult to boot a patched version of Windows which "forget" to check if it is a legitimate install.
Posted Jan 18, 2013 4:00 UTC (Fri)
by proski (subscriber, #104)
[Link] (14 responses)
I think Microsoft revoking a key for Linux bootloader would be a huge scandal and it would lead to anti-trust actions against the company. It would be better for Linux to refuse the security model demanded by Microsoft rather than try to implement it and fail.
Disclaimer: I'm not closely familiar with the situation around the "Secure boot".
Posted Jan 18, 2013 6:25 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
Posted Jan 18, 2013 20:36 UTC (Fri)
by nevets (subscriber, #11875)
[Link] (12 responses)
Now if MS were to revoke a Linux key, then we can show the courts that we did everything and then some to not be a source of compromise. Even if Linux ends up being a source of a security breach, the fact that we did so much to avoid it, will at least demonstrate that it was not due to neglect on our part.
Posted Jan 26, 2013 1:49 UTC (Sat)
by cas (guest, #52554)
[Link] (11 responses)
Actually, it would work in exactly the opposite way - by attempting to implement Microsoft's secure boot and failing, they are legitimising Microsoft's demands and providing justification for Microsoft to revoke linux keys for failure to comply or for any reason at all. i.e. by attempting to implement, they are undermining their best argument (in court and in the outside world), that Microsoft has no legal right to unilaterally grant itself the power to decide what is allowed to boot, and that their attempt to do so is an illegal abuse of a monopoly.
These attempts to appease Microsoft are short-sighted and we will all come to regret them bitterly - even if they succeed (unlikely), the absolute best we can hope for is centralised control over official bootable linux kernels. say goodbye to small and non-commercial distros, say goodbye to experimentation. and say goodbye to the right to run whatever the hell you want on your own hardware. And that's the best. The actual result is likely to be far worse.
Posted Jan 26, 2013 5:40 UTC (Sat)
by mjg59 (subscriber, #23239)
[Link] (10 responses)
You have the background to provide a legal justification for that?
Posted Jan 26, 2013 6:15 UTC (Sat)
by cas (guest, #52554)
[Link] (9 responses)
What I do have is a functioning memory and a reasonable ability to extrapolate from similar concepts.
By playing Microsoft's game you are implicitly accepting their terms and conditions, or as i said the first time around, legitimising Microsoft's *right* to terminate your boot key according to whatever rules they choose.
Actually, it's worse than that - to get a key signed by MS you have to *explicitly* accept their terms and conditions (BTW, do they have a clause saying they can unilaterally change them at any time?). It would be extremely unlikely for a court to invalidate such a consciously chosen and legal agreement.
Appeasement on the secureboot issue may be good, cheap, and convenient policy for RH and other corporate linux vendors. Not for anyone else.
Posted Jan 26, 2013 6:24 UTC (Sat)
by mjg59 (subscriber, #23239)
[Link] (8 responses)
No, but having some ability to actually support contentions like "By playing Microsoft's game you are implicitly accepting their terms and conditions" is pretty important if you want anyone to pay any attention to what you're saying.
"Do you have one?"
No, but I've spent a significant amount of time speaking to lawyers about Secure Boot over the past 18 months, which is more than you seem to have done.
Posted Jan 26, 2013 6:36 UTC (Sat)
by cas (guest, #52554)
[Link] (7 responses)
Well done!
BTW, I note that you didn't comment on my "to get a key signed by MS you have to *explicitly* accept their terms and conditions" paragraph. I take it you have no glib logical fallacy at hand to distract from that so settled on the Ignore It And It Might Go Away technique?
Posted Jan 26, 2013 6:45 UTC (Sat)
by raven667 (subscriber, #5198)
[Link] (4 responses)
Posted Jan 26, 2013 8:29 UTC (Sat)
by cas (guest, #52554)
[Link] (3 responses)
I expect that any lawyers he has spoken to about secureboot would have been Redhat's lawyers, and their angle on the problem would have been entirely on the topic of Redhat's corporate needs, and how to solve the problem for RH in the most efficiently pragmatic way possible.
Pragmatism doesn't always conflict with idealism but this is one case where it definitely does.
Posted Jan 26, 2013 11:48 UTC (Sat)
by paulj (subscriber, #341)
[Link]
Posted Jan 27, 2013 16:18 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
That said, it would be nice to have some clarification of what they think the fallout of Microsoft revoking a Linux key (both for "but h4x" and "because market share[holders]" scenarios) would likely be.
Posted Jan 27, 2013 16:38 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link]
Posted Jan 26, 2013 6:52 UTC (Sat)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
"to get a key signed by MS you have to *explicitly* accept their terms and conditions"
Have you read those terms and conditions? Have you consulted a lawyer to determine precisely which rights you're giving up? Or are you just asserting that they're unreasonable without any justification at all?
Posted Jan 26, 2013 8:18 UTC (Sat)
by cas (guest, #52554)
[Link]
My point is that it is entirely unreasonable to have to beg Microsoft's permission to run anything. So unreasonable that the only reasonable response is to refuse to have anything to do with it.
By agreeing to *ANY* conditions, no matter how benign or light-weight they might be, you are conceding that Microsoft does indeed have a right to grant or deny such permission.
You mean well and have good intentions, but you are enabling Microsoft in their aim to be gatekeeper of what software is permitted to execute. Aside from the old adage about the road to hell, the trouble with your work is that it is short-sighted and short-term pragmatism (you have what appears to be a technical problem and want to solve it now) with no regard for the long-term consequences. One day you will realise exactly what you have enabled and come to bitterly regret it. Unfortunately, you won't be the only one to suffer the consequences.
Posted Jan 24, 2013 1:58 UTC (Thu)
by kevinm (guest, #69913)
[Link]
Signing ELF binaries
Signing ELF binaries
Signing ELF binaries
Signing ELF binaries
Signing ELF binaries
Signing ELF binaries
It seems to me that some Linux developers have been tricked into playing a game they cannot win. Every time the "secure boot" is circumvented it would be considered a security issue in Linux. Secure boot is a whole new aspect of security, and Linux wasn't designed with it in mind. So there will be "security issues" all the time, and that would give Linux bad rap, especially among non-technical people.
Playing a game that cannot be won?
Playing a game that cannot be won?
Playing a game that cannot be won?
Playing the game automatically concedes defeat
Now if MS were to revoke a Linux key, then we can show the courts that we did everything and then some to not be a source of compromise. Even if Linux ends up being a source of a security breach, the fact that we did so much to avoid it, will at least demonstrate that it was not due to neglect on our part.
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Playing the game automatically concedes defeat
Signing ELF binaries