Linux - UEFI Secure Boot
Sorry, I know this is a lot of text to read, and some of it may sound a bit paranoid, but I need some help/advice with this. I'm not sure I can pull this off on my own. :confused: :scratch:
Recently I bought a new laptop that I'll be using exclusively for linux (Xubuntu). I'd like to set it up to use full disk encryption (boot partition obviously stays unencrypted). I've done this numerous times using LUKS/LVM, but this time I'd like to enable Secure Boot to foil any potential Evil Maid attacks. Is there any documentation and/or guides on how to perform this setup? As far as I understand it the computer must employ the new EFI firmware (which my laptop does). Then the HDD has to use the GPT partitioning. We also need appropriate software to do verification. And finally one has to patch up all holes and establish a chain of trust. The root partition will be encrypted, so I can trust it won't be tampered with (in an efficient way at least). Next, we need to have the kernel/initramfs (maybe the boot loader??? truecrypt???) ask us for a HDD password each time we boot. The kernel/initramfs can be tampered with because they reside on an unencrypted part of the disk. So they have to be protected with a signature. The boot loader should verify this signature before continuing, and display an error, if the images don't match. Obviously there's a problem here - the boot loader can also be tampered with. So *it* has to be protected too. The EFI firmware should verify the bootloader by using an appropriate key. The keys reside in firmware, so they have to be protected too. :banghead: Alright, this is how I understand the setup should be, but I have questions. The EFI firmware contains keys that are used to verify whether the bootloader is authentic. These keys are used for existing loaders that are signed by trusted parties i.e. Microsoft. Suppose I don't trust microsoft (which I don't... duh), and I'd like to purge all/any existing keys from UEFI to install my own. How do I do this? I haven't poked with the bios/uefi screen much, but I did manage to find an option to erase all keys. Before I continue from here on I'd like to get a grip on this new technology. Well...
Thanks in advance for any answers, I hope we can clear things up a little. |
If you do have the ability to replace keys, and if you never intend to install Microsoft Windows on this box, then you should replace the keys with ones of your own.
A few background links: http://blog.hansenpartnership.com/ow...uefi-platform/ http://www.extremetech.com/computing...os-replacement http://www.tomshardware.com/news/Lea...IOS,21897.html Microsoft's operating systems are signed with and therefore should be accepted only by their keys, but if your intent is to create your own signed operating-system image that will only boot on a particular computer, you will need to sign it with and then install keys of your own making. Personally, I think that the whole UEFI signing-key implementation is fairly naive, as is much of UEFI itself. Suddenly, instead of a bare-bones BIOS-type program that basically starts-up the hardware and then immediately hands over the keys to an OS, you've basically got an entire separate mini-operating system in there, and it's supposed to be "trusted." Well, anyone can reprogram an EEPROM (flash) chip. Where we used to have "root-kits," we almost immediately now have (suh-prize...!) "boot-kits": http://www.theregister.co.uk/2012/09/19/win8_rootkit/ http://malwaretips.com/Thread-W8-UEFI-rootkit http://www.h-online.com/security/new...d-1655108.html http://www.saferbytes.it/2012/09/18/...ows-8-bootkit/ The core premise of UEFI and therefore of the entire kernel-signing technology was, from the start, a naive and flawed one: "I'm a program burned into a ROM! Therefore, trust me!" But in every modern system, that "ROM" is programmable. This, in turn, leads to a far more insidious assumption that any operating system can make: "I was booted, therefore I was booted by a virgin, untampered-with, UEFI system, upon whose low-level system APIs I can now implicitly rely. Since I was booted successfully, my digital signature must have been checked and accepted, and, since it was accepted, I myself must be unmodified." In some ways, UEFI seems to have fallen much faster upon the horns of those very same security-issues that it was architected to prevent, precisely because of the increased "trust level" that it endeavors to maintain. Because it seeks to be "more trustworthy," its clients trust it more. But, there is no technical foundation for that trust which cannot, with even a moderate amount of ingenuity, be rendered moot. So, instead of being "less vulnerable," it turns out to be considerably "more so." A step backward, not an advance. |
i agree with the sentiment, sometimes less is more, the more complicated something is,as the saying goes the easier it is to gum up the works.
|
sundialsvcs: Thanks for all the links and the clarification. I'll take some time to read those articles, but first I have a question. You said the ROM is programmable. Can this ROM be reprogrammed at will from a running OS i.e. a live CD? Can it be protected by a password? Or does an attacher have to open up the laptop case to access the chip on the motherboard and reprogram it? Because if the latter is true you can detect an intrusion by using special stickers on the bottom side of a laptop. If a sticker gets broken, then you can safely assume the device has been tampered with, and can no longer be trusted.
PS. The laptop I bought had an older version od Ubuntu preinstalled. |
in answer to your query, flash updates to firmwares are usually accomplished by booting a stripped down os and running a specialized flash utility program, because technically the BIOS isn't ROM, it's flash memory similar to the chip in a thumb drive, albeit with a smaller capacity, and thus can be re-programmed by software.
|
There goes my hope of fending off evil maids...
|
Quote:
|
All times are GMT -5. The time now is 02:24 AM. |