Hi
I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back.
So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827
I agree with Linus https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1654795.html: we should distinguish UEFI SecureBoot and how to achieve a highly secured Operating System runtime environment.
1) UEFI SecureBoot: boot chain trust My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself.
2) Trustable Linux system A trustable Linux system is UEFI SecureBoot loaded and make addition precautions to avoid attacks and attacks to the boot chain. If we think of a highly secured Linux, the kernel lockdown is certainly highly desirable but just as many other aspects: - iommu must be enabled to protect against DMA attacks - sysfs needs to be cleaned (access rights are not tight enough) - debugfs need to be banned (problem: some production control operations are wrongly in debugfs) -SE Linux - IMA - ...
In my view, we shall not mix the goal and the means to achieve the goal.... For instance, kernel lock down prevents iopl system call which prevents UIO and UIO enabled DPDK drivers. A vendor may evaluate that the security level achieved without kernel lockdown is in line with its objectives to achieve a trustable Linux system: loadable modules disabled by the kernel, kernel embedded initramfs, IMA... As a result, UEFI SecureBoot to secure the boot chain combined with selected Linux hardening can achieve a Trustable Linux System.
As per LEDGE both are highly important I would say that 1) does not need 2) to be complete.
The way to achieve 2) is project dependent. The LEDGE RP will need kernel lockdown because we will allow loadable modules. SoC vendors deriving a product out of LEDGE RP, may take different provisions as per customer projects, in particular, they may derive a version without lockdown but still trustable.
There is an additional twists to this.
UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!!
Cheers
FF
On 6/19/19 10:56 AM, Francois Ozog wrote:
I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back.
So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827
I also did some research. There is nobody currently working on lockdown patches for Arm. As in the upstream lockdown effort explicitly is not involving Arm at this stage. I flagged this with Arm several years ago, re-raised it a few months ago, and am raising it again here right now.
- UEFI SecureBoot: boot chain trust
My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself.
Sure. But the signed shim loader isn't going to boot a kernel unless it also is trusted. If it boots an untrustable kernel, then the keys are likely to be revoked (as you later mentioned). A Linux distro actually did this and are (from my understanding) going to have consequences for not listening or implementing this correctly. No, it is not safe to even think about booting an untrustable kernel with the signed boot flow.
Now sure, you can have your own platform keys, but then you're going to need to do all of the signing yourself, and not work out of the box.
- Trustable Linux system
A trustable Linux system is UEFI SecureBoot loaded and make addition precautions to avoid attacks and attacks to the boot chain. If we think of a highly secured Linux, the kernel lockdown is certainly highly desirable but just as many other aspects:
- iommu must be enabled to protect against DMA attacks
- sysfs needs to be cleaned (access rights are not tight enough)
- debugfs need to be banned (problem: some production control operations
are wrongly in debugfs) -SE Linux
- IMA
- ...
Yes, this is why a real audit is required on the Arm side. As I have repeatedly highlighted to the various parties involved as necessary.
UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!!
I know you don't mean anything against Microsoft here, but just in case others get the wrong angle. We actually pushed Arm to go and setup a neutral certificate authority for exactly this reason. Years ago. But nobody has done it. So we are *grateful* that Microsoft are willing to do so. Since they are the only ones will to do it, we'll play by their rules, which means (rightly) not allowing Linux to be used as a malware trojan - the signed path needs to be done right, meaning that we need real lockdown patches implemented properly to do it right at all.
Jon.
Thanks Jon for the comments.
On Wed, 19 Jun 2019 at 18:24, Jon Masters jcm@redhat.com wrote:
On 6/19/19 10:56 AM, Francois Ozog wrote:
I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back.
So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827
I also did some research. There is nobody currently working on lockdown patches for Arm. As in the upstream lockdown effort explicitly is not involving Arm at this stage. I flagged this with Arm several years ago, re-raised it a few months ago, and am raising it again here right now.
- UEFI SecureBoot: boot chain trust
My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself.
Sure. But the signed shim loader isn't going to boot a kernel unless it also is trusted. If it boots an untrustable kernel, then the keys are likely to be revoked (as you later mentioned). A Linux distro actually did this and are (from my understanding) going to have consequences for not listening or implementing this correctly.
shim is not mandatory at all. shim is necessary if there is a controlling entity that makes signature of kernels complex. the boot chain includes Linux. providing that the linux signature is validated, then the boot chain is good.
No, it is not safe to even think about booting an untrustable kernel with the signed boot flow.
"safe" and UEFI SecureBoot compliant are two very different things.
and as I described below, you can obtain a trustable kernel in particular conditions that do not need lockdown. Let's not mix the goals and the means.
Now sure, you can have your own platform keys, but then you're going to need to do all of the signing yourself, and not work out of the box.
- Trustable Linux system
A trustable Linux system is UEFI SecureBoot loaded and make addition precautions to avoid attacks and attacks to the boot chain. If we think of a highly secured Linux, the kernel lockdown is certainly highly desirable but just as many other aspects:
- iommu must be enabled to protect against DMA attacks
- sysfs needs to be cleaned (access rights are not tight enough)
- debugfs need to be banned (problem: some production control operations
are wrongly in debugfs) -SE Linux
- IMA
- ...
Yes, this is why a real audit is required on the Arm side. As I have repeatedly highlighted to the various parties involved as necessary.
UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!!
I know you don't mean anything against Microsoft here, but just in case others get the wrong angle. We actually pushed Arm to go and setup a neutral certificate authority for exactly this reason. Years ago. But nobody has done it. So we are *grateful* that Microsoft are willing to do so. Since they are the only ones will to do it, we'll play by their rules, which means (rightly) not allowing Linux to be used as a malware trojan - the signed path needs to be done right, meaning that we need real lockdown patches implemented properly to do it right at all.
Well, there is not need to have a unique central authority for the keys.
For instance, it could be desirable that Caterpilar will be the central authority to deal with keys of all ECUs in a Caterpilar mining machine. AWS or other providers such as Verisign could deliver a "Certificate Authority as a Service" as a turn key solution for those willing to operate such an authority. The need for Arm to have a central authority may exist. I would be willing to promote that discussion in the context of device onboarding activities happening between Intel and Arm.
Jon.
-- Computer Architect | Sent with my Fedora powered laptop
On Wed, Jun 19, 2019 at 12:24:36PM -0400, Jon Masters wrote:
On 6/19/19 10:56 AM, Francois Ozog wrote:
I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back.
So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827
I also did some research. There is nobody currently working on lockdown patches for Arm. As in the upstream lockdown effort explicitly is not involving Arm at this stage. I flagged this with Arm several years ago, re-raised it a few months ago, and am raising it again here right now.
I know that Ard (Cc'd) had looked into this area, as he was involved in LKML discussions.
My understanding is that the vast majority of the issues with kernel lockdown are not architecture specific, and for arm/arm64 we've deliberately avoided introducing architecture-specific functionality which would be problematic for lockdown.
I strongly suspect the people you need to speak to are not subscribed to this list (nor do they post on hacker news), and asking questions on LAKML and LKML would be much more valuable.
Thanks, Mark.
- UEFI SecureBoot: boot chain trust
My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself.
Sure. But the signed shim loader isn't going to boot a kernel unless it also is trusted. If it boots an untrustable kernel, then the keys are likely to be revoked (as you later mentioned). A Linux distro actually did this and are (from my understanding) going to have consequences for not listening or implementing this correctly. No, it is not safe to even think about booting an untrustable kernel with the signed boot flow.
Now sure, you can have your own platform keys, but then you're going to need to do all of the signing yourself, and not work out of the box.
- Trustable Linux system
A trustable Linux system is UEFI SecureBoot loaded and make addition precautions to avoid attacks and attacks to the boot chain. If we think of a highly secured Linux, the kernel lockdown is certainly highly desirable but just as many other aspects:
- iommu must be enabled to protect against DMA attacks
- sysfs needs to be cleaned (access rights are not tight enough)
- debugfs need to be banned (problem: some production control operations
are wrongly in debugfs) -SE Linux
- IMA
- ...
Yes, this is why a real audit is required on the Arm side. As I have repeatedly highlighted to the various parties involved as necessary.
UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!!
I know you don't mean anything against Microsoft here, but just in case others get the wrong angle. We actually pushed Arm to go and setup a neutral certificate authority for exactly this reason. Years ago. But nobody has done it. So we are *grateful* that Microsoft are willing to do so. Since they are the only ones will to do it, we'll play by their rules, which means (rightly) not allowing Linux to be used as a malware trojan - the signed path needs to be done right, meaning that we need real lockdown patches implemented properly to do it right at all.
Jon.
-- Computer Architect | Sent with my Fedora powered laptop _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
On Wed, 19 Jun 2019 at 18:25, Jon Masters jcm@redhat.com wrote:
On 6/19/19 10:56 AM, Francois Ozog wrote:
I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back.
So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827
I also did some research. There is nobody currently working on lockdown patches for Arm. As in the upstream lockdown effort explicitly is not involving Arm at this stage. I flagged this with Arm several years ago, re-raised it a few months ago, and am raising it again here right now.
- UEFI SecureBoot: boot chain trust
My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself.
Sure. But the signed shim loader isn't going to boot a kernel unless it also is trusted. If it boots an untrustable kernel, then the keys are likely to be revoked (as you later mentioned). A Linux distro actually did this and are (from my understanding) going to have consequences for not listening or implementing this correctly. No, it is not safe to even think about booting an untrustable kernel with the signed boot flow.
Now sure, you can have your own platform keys, but then you're going to need to do all of the signing yourself, and not work out of the box.
We need some middle ground here - see below.
...
UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!!
I know you don't mean anything against Microsoft here, but just in case others get the wrong angle. We actually pushed Arm to go and setup a neutral certificate authority for exactly this reason. Years ago. But nobody has done it. So we are *grateful* that Microsoft are willing to do so. Since they are the only ones will to do it, we'll play by their rules, which means (rightly) not allowing Linux to be used as a malware trojan - the signed path needs to be done right, meaning that we need real lockdown patches implemented properly to do it right at all.
So why again does there need to only a single signing authority? If I run RHEL on my servers, I only care about the RedHat signing key, and perhaps the signing key of the vendor of the NIC if it is a plugin type.
i know it is inconvenient, but it is also a *lot* more secure, so if we takes all this stuff as seriously as we say we do, let's implement it properly and use UEFI secure boot the way it was intended.
By the same reasoning, one of the things on my todo list is to make GRUB work without shim. E.g., if the RHEL installer spots the RedHat certificate in db, why on earth should it bother to install shim in the first place?
As usual, the things that are driven mostly from the distro side are way too much geared towards making things work exactly like on x86, even if it makes no sense whatsoever to do so.
On Wed, 19 Jun 2019 at 15:57, Francois Ozog francois.ozog@linaro.org wrote:
Hi
I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back.
So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827
I agree with Linus
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1654795.html:
we should distinguish UEFI SecureBoot and how to achieve a highly secured Operating System runtime environment.
Decoupling the enable/disable decision for kernel lockdown from the UEFI secure boot status is, I think, already widely agreed upon. Certainly the latest versions of the lockdown patchset already implement this decoupling ( https://lwn.net/Articles/784674/ ).
- UEFI SecureBoot: boot chain trust
My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself.
- Trustable Linux system
A trustable Linux system is UEFI SecureBoot loaded and make addition precautions to avoid attacks and attacks to the boot chain. If we think of a highly secured Linux, the kernel lockdown is certainly highly desirable but just as many other aspects:
- iommu must be enabled to protect against DMA attacks
- sysfs needs to be cleaned (access rights are not tight enough)
- debugfs need to be banned (problem: some production control operations
are wrongly in debugfs) -SE Linux
- IMA
- ...
In my view, we shall not mix the goal and the means to achieve the goal.... For instance, kernel lock down prevents iopl system call which prevents UIO and UIO enabled DPDK drivers. A vendor may evaluate that the security level achieved without kernel lockdown is in line with its objectives to achieve a trustable Linux system: loadable modules disabled by the kernel, kernel embedded initramfs, IMA...
If the vendor intends to get this *right* I think they would be extremely foolish to overlook the knowledge already embedded in the lockdown patchset. Lockdown will probably never be perfect but ignoring this significant body of battle tested and well documented work sounds like madness to me.
Daniel.
As a result, UEFI SecureBoot to secure the boot chain combined with selected Linux hardening can achieve a Trustable Linux System.
As per LEDGE both are highly important I would say that 1) does not need 2) to be complete.
The way to achieve 2) is project dependent. The LEDGE RP will need kernel lockdown because we will allow loadable modules. SoC vendors deriving a product out of LEDGE RP, may take different provisions as per customer projects, in particular, they may derive a version without lockdown but still trustable.
There is an additional twists to this.
UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!!
Cheers
FF
-- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog@linaro.org | Skype: ffozog _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
boot-architecture@lists.linaro.org
-
Ard Biesheuvel -
Daniel Thompson -
Francois Ozog -
Jon Masters -
Mark Rutland