| 1 |
> From: Michael Mol <mikemol@×××××.com> |
| 2 |
|
| 3 |
> On Sat, Jun 2, 2012 at 8:35 PM, Florian Philipp <lists@×××××××××××.net> |
| 4 |
> wrote: |
| 5 |
>> Am 03.06.2012 01:36, schrieb Michael Mol: |
| 6 |
>>> On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@××××××××.se> wrote: |
| 7 |
>>>> On 2012-06-02 22:10, Michael Mol wrote: |
| 8 |
>>> |
| 9 |
>>> [snip] |
| 10 |
>>> |
| 11 |
>> [...] |
| 12 |
>>> |
| 13 |
>>> The BIOS will only load a signed bootloader. The signed bootloader |
| 14 |
>>> will only load a signed kernel. The signed kernel will...do whatever |
| 15 |
>>> you tell it to do. |
| 16 |
>>> |
| 17 |
>> |
| 18 |
>> According to Matthew's blog post, Fedora patched Grub2 and the kernel |
| 19 |
> to |
| 20 |
>> avoid loading custom code into them: |
| 21 |
>> - Deactivate grub2 plugins |
| 22 |
>> - Sign all kernel modules and disallow unsigned ones |
| 23 |
>> - Prevent access to PCI through userland |
| 24 |
>> - Sanitize the kernel command line |
| 25 |
> |
| 26 |
> Yeah, I read his blog post via lwn.net. I forgot some of the details. |
| 27 |
> |
| 28 |
> |
| 29 |
>> |
| 30 |
>>>> What does that mean to a source based "distro"? |
| 31 |
>>> |
| 32 |
>>> It's going to make building and installing grub and the kernel |
| 33 |
>>> trickier; you'll have to get them signed. And that's going to |
| 34 |
> be a |
| 35 |
>>> PITA for anyone who does developers. |
| 36 |
>>> |
| 37 |
>>> What it *really* means is that someone who wants to run Linux as a |
| 38 |
>>> hobbyist or developer is going to disable "SecureBoot", and |
| 39 |
> then fall |
| 40 |
>>> back to business as usual. |
| 41 |
>>> |
| 42 |
>> |
| 43 |
>> Yeah, the only way for Gentoo to have secure boot is a) let each user |
| 44 |
>> register with Microsoft, b) provide a binary kernel and boot loader. |
| 45 |
> |
| 46 |
> If you have a need to get a secure Gentoo boot, and you don't need to |
| 47 |
> boot Windows 8, then (as I understand it) you can also purge the UEFI |
| 48 |
> BIOS of Microsoft's key and install your own. |
| 49 |
|
| 50 |
well, on x86 for now... |
| 51 |
|
| 52 |
> |
| 53 |
>> |
| 54 |
>>>> Also, I would assume a legitimate key would be able to |
| 55 |
>>>> sign pretty much any binary so a key that Fedora uses could be used |
| 56 |
> to |
| 57 |
>>>> sign malware for Windows, which then would be blacklisted by |
| 58 |
>>>> Microsoft... |
| 59 |
>>> |
| 60 |
>>> If Fedora allows their key to sign crap, then their key will get |
| 61 |
> revoked. |
| 62 |
>>> |
| 63 |
>>> What I hope (I don't know) is whether or not the signing system |
| 64 |
>>> involved allows chaining. i.e., with SSL, I can generate my own key, |
| 65 |
>>> get it signed by a CA, and then bundle the CA's public key and my |
| 66 |
>>> public key when I go on to sign _another_ key. |
| 67 |
>>> |
| 68 |
>>> So, could I generate a key, have Fedora sign it, and then use my key |
| 69 |
>>> to sign my binaries? If my key is used to do malicious things, |
| 70 |
>>> Fedora's off the hook, and it's only my key which gets revoked. |
| 71 |
>>> |
| 72 |
>> |
| 73 |
>> Consider the exact approach Fedora takes: They've only made a certified |
| 74 |
>> stage-1 boot loader. This boot loader then loads grub2 (signed with a |
| 75 |
>> custom Fedora key, nothing chained back to MS) which then loads a |
| 76 |
>> custom-signed kernel. This allows them to avoid authenticating against |
| 77 |
>> MS every time they update grub or the kernel. |
| 78 |
>> |
| 79 |
>> This means if you want to certify with Fedora, you don't need to chain |
| 80 |
>> up to MS as long as you use their stage-1 boot loader. However, if I was |
| 81 |
>> part of Fedora, I wouldn't risk my key by signing other people's |
| 82 |
> stuff. |
| 83 |
>> Mainboard makers won't look twice when they see rootkits with Fedora |
| 84 |
>> boot loaders. |
| 85 |
> |
| 86 |
> Yeah, that's not the kind of thing I was thinking about. |
| 87 |
> |
| 88 |
> With SSL's PKI, someone like StartSSL has a CA cert. |
| 89 |
> |
| 90 |
> I generate my own key, have StartSSL sign my key. My brother generates |
| 91 |
> a key, and I sign his. |
| 92 |
> |
| 93 |
> Now my brother takes his key and sends you a signed email. |
| 94 |
> |
| 95 |
> Now, you've never heard of me, and the crypto signature attached to |
| 96 |
> that email doesn't mean anything. However, if he bundles my public key |
| 97 |
> along with his public key in that email, then you can see that my |
| 98 |
> public key was signed by someone you _do_ know. Now you have a chain |
| 99 |
> of signatures showing the relationship between that email and the root |
| 100 |
> CA. |
| 101 |
> |
| 102 |
> Now here's the interesting part, and what I was alluding to wrt signed |
| 103 |
> binaries and key revocation. |
| 104 |
> |
| 105 |
> Let's say _my_ key is leaked. My brother send you an email signed with |
| 106 |
> his key. You look at that key, you see that key hasn't been revoked. |
| 107 |
> You look at the key that signed that key, and you see that _that_ key |
| 108 |
> _has_ been revoked. You can then choose to not trust keys signed by |
| 109 |
> that key. |
| 110 |
> |
| 111 |
> Now let's say my _brother's_ key is leaked, and so he revokes it. Any |
| 112 |
> new emails signed with that key can be seen to be invalid. However, |
| 113 |
> _my_ key is still considered valid; I can still sign things with it. |
| 114 |
> |
| 115 |
> That's the kind of thing I was thinking about. If you allow key chains |
| 116 |
> to be deep, rather than forcing them to be wide, you can wield |
| 117 |
> blacklists like a scalpel, rather than a bludgeon. |
| 118 |
|
| 119 |
In theory that's how key signing systems are suppose to work. |
| 120 |
In practice, they rarely implement the blacklists as they are (i) hard to maintain, |
| 121 |
and (ii) hard to distribute in an effective manner. |
| 122 |
|
| 123 |
Honestly, I don't expect SecureBoot to last very long. |
| 124 |
Either MS and the OEMs will be forced to always allow users to disable it, |
| 125 |
or they'll be simply drop it - kind of like they did with TPM requirements that were |
| 126 |
talked about 10 years back and never came to fruition. |
| 127 |
|
| 128 |
>>>> and how is malware defined? Anything that would be |
| 129 |
>>>> detrimental to Microsoft? |
| 130 |
>>> |
| 131 |
>>> Dunno. I imagine it comes down to whatever the chief key's owner |
| 132 |
>>> doesn't want running on the same hardware while SecureBoot is enabled. |
| 133 |
>>> Rootkits come to mind. |
| 134 |
>>> |
| 135 |
>> |
| 136 |
>> To quote Matthew: |
| 137 |
>>> If I take a signed Linux bootloader and then use it to boot something |
| 138 |
>>> that looks like an unsigned Linux kernel, I've instead potentially |
| 139 |
>>> just booted a piece of malware. And if that malware can attack |
| 140 |
>>> Windows then the signed Linux bootloader is no longer just a signed |
| 141 |
>>> Linux bootloader, it's a signed Windows malware launcher and |
| 142 |
> that's |
| 143 |
>>> the kind of thing that results in that bootloader being added to the |
| 144 |
>>> list of blacklisted binaries and suddenly your signed Linux |
| 145 |
>>> bootloader isn't even a signed Linux bootloader. |
| 146 |
> |
| 147 |
> What kind of signature is the bootloader checking, anyway? |
| 148 |
|
| 149 |
Regardless of the check, it'll never be sufficient. |
| 150 |
|
| 151 |
Ben |
Archives