|
|
Subscribe / Log in / New account

Much ado about SBAT

Much ado about SBAT

Posted Jul 20, 2023 16:30 UTC (Thu) by bluca (subscriber, #118303)
In reply to: Much ado about SBAT by gray_-_wolf
Parent article: Much ado about SBAT

This is explicitly covered in the protocol and described in the example:

https://github.com/rhboot/shim/blob/main/SBAT.example.md

to post comments

Much ado about SBAT

Posted Jul 20, 2023 16:49 UTC (Thu) by gray_-_wolf (subscriber, #131074) [Link] (27 responses)

So if I get it right, fedora would produce kernels with something like:

sbat,1
linux,1
linux.fedora,1

And if there is problem with CONFIG_FOO=y, linux wound bump the number to 2, so fedora would produce

sbat,1
linux,2
linux.fedora,2

While debian

sbat,1
linux,2
linux.debian,1

And `the UEFI CA issues an update to SBAT` would be:

sbat,1
linux,2
linux.debian,1
linux.fedora,2

Is that correct? That seems like it will be... fun to keep up to date, I guess?

Much ado about SBAT

Posted Jul 20, 2023 16:58 UTC (Thu) by WolfWings (subscriber, #56790) [Link] (20 responses)

linux.fedora wouldn't update their number unless they made changes to their patches or configuration settings.

If linux.fedora's changes were the cause of a vulnerability, then linux.fedora's number would increment entirely independently of linux in your example case.

When you carry forward upstreams SBAT lines you can benefit from their generation epochs.

Much ado about SBAT

Posted Jul 20, 2023 23:01 UTC (Thu) by cquike (subscriber, #107549) [Link] (11 responses)

What happens if the distribution option CONFIG_FOO=n actually "disables" the vulnerability? The distribution kernel in that case is not affected but still the SBAT data in the firmware would say that that linux,1, for instance, is vulnerable and the system will not boot, which IMHO is the wrong behaviour.
Is that understanding correct?

Much ado about SBAT

Posted Jul 20, 2023 23:52 UTC (Thu) by bluca (subscriber, #118303) [Link] (10 responses)

Sure, there's a number of hypothetical corner cases that one might imagine where a revocation that doesn't affect everybody might go out. Likelihood is low enough that it's not really worth worrying about. There are more important aspects to optimize for.

Much ado about SBAT

Posted Jul 21, 2023 10:19 UTC (Fri) by dvdeug (guest, #10998) [Link] (9 responses)

That there is a security hole in some experimental or niche code not included in most distros' kernels seems a nigh certainty, not hypothetical.

Much ado about SBAT

Posted Jul 21, 2023 15:39 UTC (Fri) by bluca (subscriber, #118303) [Link] (8 responses)

If it's certain, can you point to any occasion where any of that has been used to exploit a system?

Much ado about SBAT

Posted Jul 21, 2023 20:45 UTC (Fri) by dvdeug (guest, #10998) [Link] (6 responses)

Eleven days ago, CVE-2023-32250 and CVE-2023-32254 were issued on bugs in the Linux kernel's ksmbd, an in-kernel SMB server. At the end of June, CVE-2023-3338 was issued on a bug in the DECNet implementation. Actively exploited, I don't know, but I'm sure there are.

Much ado about SBAT

Posted Jul 21, 2023 20:53 UTC (Fri) by bluca (subscriber, #118303) [Link] (5 responses)

How are those related to UEFI?

Much ado about SBAT

Posted Jul 21, 2023 21:23 UTC (Fri) by mjg59 (subscriber, #23239) [Link] (3 responses)

If you're able to trigger them locally you could overwrite kernel state and kexec into a backdoored kernel (or even Windows) without violating any secure boot controls.

Much ado about SBAT

Posted Jul 22, 2023 9:00 UTC (Sat) by WolfWings (subscriber, #56790) [Link] (2 responses)

I feel like that's a core disconnect here honestly.

The RFC was expecting that "once you hit /init it's no longer relevant" which would indeed exclude the supermajority of CVEs from ever increment the counter.

But the reality is this: Secure Boot carries forward long past the boot phase into userspace, and if that has a vulnerability that allows sufficient escalation then to the user it is functionally identical to any other secure boot compromise:

Suddenly the OS isn't the one you signed keys and did all the security hoopla for.

Which yes, means that the SBAT scope for "the ENTIRE kernel" includes parts WAY outside of the "boot" portion of things. It also ends up including everything callable from userspace including second-tier stuff like NFS that requires networking and filesystems first, etc.

Maybe a more narrowly defined initial record for 'linux-pre-init' as a component name or something instead that's just the UEFI-stub-to-/init codepath fits what the initial submission expected for a rarely-changing codepath.

But the full 'linux' meta-component would have to update it's counter rather frequently so X-1 fallback would be woefully insufficient and result in 'functionally bricked' systems for various degrees of brickage.

Much ado about SBAT

Posted Jul 22, 2023 10:39 UTC (Sat) by bluca (subscriber, #118303) [Link] (1 responses)

There is already such a boundary, and it's what we are largely focusing on right now: ExitBootServices. It provides a clear boundary, and what comes before is clearly and unequivocably 'high value', so in my view it's a great starting point for this.

Much ado about SBAT

Posted Jul 27, 2023 4:37 UTC (Thu) by WolfWings (subscriber, #56790) [Link]

And reading the threads on LKML I think that was the disconnect at the time of this article at least.

Took me a'while to realize that, the kernel devs were largely approaching it as "Okay, it's named linux, so you mean the whole kernel then?" thus my suggestion to make it more clearly just the early-boot region that the epoch is covering with a more verbose and narrowly defined name. I think it was causing cognitive overload at times in attempting to use the shortest possible component name.

Coming back with "Any security flaw in the codepath from initial execution up until UEFI ExitBootServices is called" possibly with the modifier "...that allows unsigned code to be executed." as a recurring phrase for "What increments the epoch?" instead of variants on "Whatever those in charge decide." might have had a better cooling effect, and kept the scope much more narrowly defined. Requiring it to only be of concern for signed code would also mean for example unsigned-module mode might be entirely out of scope, etc.

But this is my years of dealing with PCI-DSS/HIPPA/etc compliance audits coming to the fore: Defining the scope as narrowly as possible is a huge part of passing security audits in the real world, and that seems to apply to keeping the epoch number from skyrocketing and becoming real-world-worthless.

Much ado about SBAT

Posted Jul 24, 2023 8:41 UTC (Mon) by paulj (subscriber, #341) [Link]

If you can trigger a bug relatively reliably during or after boot - be it by network, by crafted filesystem exploit, by some startup script, etc. - you get control. It doesn't matter how much you've locked down the firmware.

I'm pretty sure we've had some articles recently containing discussions about the impossibility of securing filesystems from bugs and exploits, and the need to restrict which user-provided FSes the kernel will mount...

Much ado about SBAT

Posted Jul 22, 2023 0:36 UTC (Sat) by geofft (subscriber, #59789) [Link]

I think for the most part people aren't interested in building exploits for these because Secure Boot attacks are pretty low value - especially because, at least as of last time I checked, there's a signed Ubuntu shim/GRUB which is happy to load arbitrary kernels. (I actually have a laptop running an old version of Debian with Ubuntu's signed shim/GRUB...) But it would be pretty easy to automate the process of turning root -> ring 0 escalations (which are much more common than non-root -> ring 0 escalations!) into bypasses of kernel_lockdown(7), if that would be interesting to anyone.

Specifically - I think this conversation would be more productive if you could define what exactly counts as an exploit that SBAT should protect against / that would merit bumping the SBAT generation number. My understanding of Secure Boot is there are two ways to think about this:

1) An attacker should not be able to produce a bootable system image using other people's signed kernels/bootloaders/shims/etc. that gets them arbitrary code execution in ring 0 before ExitBootServices() has been called.

2) An attacker should not be able to produce a bootable system image using other people's signed kernels/bootloaders/shims/etc. that gets them arbitrary code execution in ring 0 at any time.

The second one is what kernel_lockdown(7) is meant to protect against. But that's a more stringent policy than I think is really possible to achieve at least in the MS UEFI ecosystem. As mentioned, there are the Ubuntu shim/GRUB binaries, and also Windows itself hasn't been treating root -> ring 0 as a security issue (see e.g. http://www.github.com/ionescu007/r0ak which is a worked example of a driver allowing kernel read/write).

If the second definition is what you're actually trying to solve (and I might be out of date here and maybe the Ubuntu shims are now revoked?), it would be worth clearly documenting that, and then people can start producing those exploits. The ksmbd vulnerability mentioned in a sibling comment could quite easily be weaponized. But also a whole lot of other things that have the benefit of starting from a privileged position, like root in the initramfs, are interesting too.

If you're going for the first definition, I think it's worth documenting that too, because there's relatively code that runs before ExitBootServices() - there is some attacker-controlled stuff (command line parsing, initrd loading but not mounting), so an exploit isn't out of the question, but there's very little of it. And that might help the kernel folks get more comfortable with the idea of maintaining a generation number.

Or maybe you're going for some other definition which is not obvious to someone who does pay attention to Secure Boot, which means it'll be even less obvious to the average LKML reviewer.

(Or maybe the practical threat model here is that you want to make sure that attackers can't run code even in ring 3 as root, which means you can't trust the MS UEFI ecosystem and you have to sign all your own kernels/UKIs with your own key that you enroll yourself in DB and KEK... at which point you want to maintain the SBAT generation on your own and not trust anyone else to do it!)

To be clear - I am absolutely on board with criticizing the LKML crowd's refusal acknowledge what sort of bugs are security bugs and treatment of e.g. adding support for a new PlayStation controller's buttons as an "All users must upgrade." stable release that datacenter sysadmins need to care about just as much as they care about remote code execution in kernelspace. But I think that not clearly defining the security goals of SBAT / Secure Boot and saying you're only interested in vulnerabilities with known exploits risks making essentially the same mistake. It's silly to say that a vulnerability with a PoC that gets arbitrary code execution doesn't matter to you because nobody has constructed an exploit against your particular use case: they clearly could, and the only people who benefit from the obscurity are black hat attackers. A bug doesn't become unexploitable by refusing to mention the CVE in the commit message; neither does a bug become unexploitable by pointing out that there are no public exploits.

Much ado about SBAT

Posted Jul 21, 2023 7:43 UTC (Fri) by juliank (guest, #45896) [Link] (7 responses)

Notably even if a vendor was bumped before, the bump of the generic linux entry would cause the per-vendor revocations to go away as they become obsolete. Hence why it's not an ever growing list and works a lot better than dbx.

so if you had revocations

linux.fedora,2
linux.debian,2

and linux,1 was the latest SBAT

linux gets an update, we drop the linux.<anything> and only insert the linux one:

linux,2

Then fedora gets another issue and we have

linux,2
linux.fedora,3

Then linux gets another issue and we have

linux,3

Much ado about SBAT

Posted Jul 21, 2023 10:13 UTC (Fri) by gray_-_wolf (subscriber, #131074) [Link] (6 responses)

What if fedora decides to fix a bug A as 3 while linux bug B as the same 3? They might very well do it by accident. How is this going to be prevented? Or, how (if ever) will the numbers be reconciled (there are many distributions, so I assume it will happen sooner or later)?

Much ado about SBAT

Posted Jul 21, 2023 10:36 UTC (Fri) by bluca (subscriber, #118303) [Link] (5 responses)

That's why revocations are centralized, and managing generation IDs also needs to be centralized, rather than have everyone do it on their own

Much ado about SBAT

Posted Jul 21, 2023 13:11 UTC (Fri) by zdzichu (subscriber, #17118) [Link] (4 responses)

How exactly would centralisation solve the problem presented by gray_-_wolf?

Much ado about SBAT

Posted Jul 21, 2023 15:39 UTC (Fri) by bluca (subscriber, #118303) [Link] (3 responses)

Because everybody will know what the upstream product gen ID is

Much ado about SBAT

Posted Jul 22, 2023 16:32 UTC (Sat) by zdzichu (subscriber, #17118) [Link] (2 responses)

Ok, so let's assume everybody is at gen 42. Now, two new vulnerabilities gets published, CVE-2025-001 and CVE-2025-002.
Fedora backports the fix for 001 in their kernel. Arch backports fix for 002. They need to get new generation ID for their patched kernels, so they ask central authority.

What gen numbers they will get in answer?

Much ado about SBAT

Posted Jul 22, 2023 16:53 UTC (Sat) by excors (subscriber, #95769) [Link] (1 responses)

That sounds easy: the central authority decides on a total order for vulnerabilities. If they pick 001<002, then they say you can sign as gen 43 if you're not vulnerable to 001, and you can sign as gen 44 if you're vulnerable to neither 001 nor 002. Arch will need to fix 001 (or determine they were never vulnerable to it, e.g. if it was a Fedora-specific issue) so they can sign as a new generation, before gen 42 gets revoked.

Much ado about SBAT

Posted Aug 4, 2023 8:43 UTC (Fri) by ghane (guest, #1805) [Link]

My understanding is that Google does this, releasing two checkpoints every month for certified Android.

Assume there are two sets of exploits, set A (which Google feels Handset OEMs can fix by themselves quickly) and set B (which need blobs from Qualcomm, etc). These are called (eg) 01 July 2023 and 05 July 2023 (the 1 and 5 are constant).

If you fix set A, you roll out the update, and claim "1 July 2023". You then have time to talk to upstream chip manufacturors, and at some time roll out "5 July 2023".

You cannot claim 1 Aug 2023, (or any future version) however, till 5 July 2023 has been included.

So from a user (and app developer) point of view, any "1" date means you are no more than 1 month behind that month, and a "5" means that you are current till that month.

Much ado about SBAT

Posted Jul 21, 2023 1:13 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (5 responses)

It is entirely possible that Linus or somebody else explicitly decides that this is out of scope for Linux (which, after all, is "just" a kernel, not a full OS) and then we *only* have linux.fedora, linux.debian, etc. Each distro would then be responsible for bumping the number as applicable, regardless of whose "fault" the vulnerability is. They are already in a position to do that anyway, since most of them already track kernel vulnerabilities in order to provide timely security updates.

(I have no idea if the standard allows that, but if the standard is unwilling or unable to accommodate Linux, then any standard-conforming hardware will become effectively unsalable to datacenters and Android manufacturers, so I imagine they would find a way to make it work if it currently does not. Worst case, we would just have linux,1 forever and there would never be a linux,2.)

Much ado about SBAT

Posted Jul 21, 2023 8:35 UTC (Fri) by taladar (subscriber, #68407) [Link]

> Worst case, we would just have linux,1 forever and there would never be a linux,2

At that point we could certainly talk about security theatre though.

Much ado about SBAT

Posted Jul 21, 2023 9:12 UTC (Fri) by bluca (subscriber, #118303) [Link] (3 responses)

No, there would still be a global gen id, it would just be much more painful to maintain. I'll let you figure out how pleased distribution maintainers would be with upstream maintainers if that were to happen - not that I am under any illusion they care one bit.

Much ado about SBAT

Posted Jul 22, 2023 3:16 UTC (Sat) by NYKevin (subscriber, #129325) [Link] (2 responses)

Well, in this hypothetical (which I should stress has not actually happened (yet)), it would be a discussion between the distros and whoever is pro-SBAT. Frankly, I'm having a hard time imagining, say, Debian wanting to spend a lot of time on something like this, so it's possible they give SBAT a "no" as well. I suppose it's possible that the SBAT people try to write off the "uncooperative" distros, but I should like to think that there is enough Debian in datacenters to give hardware manufacturers pause about that course of action.

Ultimately, the problem here is that somebody has to bell the cat, and at least historically in the FOSS community, things usually work out best if the person belling the cat is the person who actually wants the cat to wear a bell in the first place. The alternative just leads to the Nebraska problem,[1] which would be very bad in this case as it could leave a large amount of hardware suddenly unbootable.

[1]: https://xkcd.com/2347/

Much ado about SBAT

Posted Jul 22, 2023 4:59 UTC (Sat) by plugwash (subscriber, #29694) [Link]

I'm no expert, but my understanding is that the underlying issues are.

1. If we want our Linux distros to keep booting out of the box on new computers, then we have to play along with the secure boot "ecosystem", which is ultimately controlled by Microsoft.
2. UEFI has very limited space for storing revocations, a single revocation incident consumed around half the availble revocation space. It's not at all clear to me what MS would do if revocation space ran out, but it may well not be nice for Linux.

So it was determined that a more efficient revocation scheme was needed, one that could basically say "any version of software package "x" that is older (in security fix terms) than "y" is vulnerable rather than having to revoke images individually.

Much ado about SBAT

Posted Jul 22, 2023 10:44 UTC (Sat) by bluca (subscriber, #118303) [Link]

> I'm having a hard time imagining, say, Debian wanting to spend a lot of time on something like this, so it's possible they give SBAT a "no" as well.

No, Debian is involved too. Not only myself, but the maintainers of the bootloader stack are not only fully aware but also actively working on this, both downstream and upstream in the Shim community.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds