|
|
Subscribe / Log in / New account

Kernel lockdown vis-à-vis secure-boot

Kernel lockdown vis-à-vis secure-boot

Posted Apr 8, 2018 9:13 UTC (Sun) by darwish (guest, #102479)
Parent article: Kernel lockdown locked out — for now

I agree with Linus that lockdown is really orthogonal to secure-boot.

I've written a number of remote exploits (white-hat; merged in Metasploit), and the ability to modify the boot chain is not as easy as the lockdown authors claim. It might be much easier in the servers world due to extreme PC boot-protocol standardization, but it's hard as hell in the embedded world due to esoteric SoCs, unknown custom-built boot-loaders, and read-only storage.

In these cases, and even without secure-boot, basic kernel hardening features like disabling /dev/mem, /proc/<pid>/mem, /proc/kcore, etc. etc. are __invaluable__ in making the attackers life much harder -- even if they got execute access as UID 0.

Yes, with UID0 the attacker can create a kernel module to re-expose all that, but again this is embedded: (f)init_module() might be removed from the kernel. Even funnier: you might only have a root _shell_ access, but not pure uid 0 binary execution context; and then you find yourself with a busybox having wget and insmod removed ;-) You try to write your exploit ELF, byte by byte, using 'echo' to a tmpfs partition; on a lot of devices this will succeed, but others might have a brain-dead 'echo' version that does not support the necessary "-en" parameters, and so on.

So, honestly, Linus is __absolutely__ right:

"Because as long as the explanation is just some 'you must use secure boot or you've already lost and further security is pointless' hocus-pocus magical thinking, I immediately go 'no, that sounds completely bogus and it makes testing and coverage much worse, we've done other things quite like that without this secure boot tie-in'".

to post comments

Kernel lockdown vis-à-vis secure-boot

Posted Apr 8, 2018 17:00 UTC (Sun) by bluca (subscriber, #118303) [Link]

It might be orthogonal, but it is hella useful to have lockdown enabled automatically when secure booting. It's just a few lines. Sure, by all means, put it behind a disabled-by-default kconfig. But why take the feature away? Distros clearly like it and their customers want it, given it's been shipping for years.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 0:22 UTC (Mon) by nivedita76 (subscriber, #121790) [Link] (4 responses)

lockdown is useful without secure boot. I think the point was more that secure boot is not very useful without lockdown.

embedded doesn't seem very relevant in any case, it's not going to have UEFI secure boot in any case. The argument is about whether you should turn lockdown on automatically if secure boot is enabled, which is really only a PC/x86 server thing for the most part.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 6:16 UTC (Mon) by darwish (guest, #102479) [Link]

Embedded _is_ relevant in that case, and my post was a reply to the lockdown's author (direct) quote in the article claiming that "Without some sort of verified boot mechanism, lockdown is just security theater".

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 9:53 UTC (Mon) by excors (subscriber, #95769) [Link] (2 responses)

Depending on your definition of "embedded", Intel does(/did) make embedded SoCs for tablets etc that use a UEFI BIOS and Secure Boot.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 11:01 UTC (Mon) by kugel (subscriber, #70540) [Link] (1 responses)

Also SoCs for Routers (e.g. https://blogs.intel.com/iot/2016/05/18/intel-puma/). I work with those.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 10, 2018 13:12 UTC (Tue) by arekm (guest, #4846) [Link]

"Intel Pumageddon" (google)


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds