[Bug 842144] New: Secure-boot is useless
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c0 Summary: Secure-boot is useless Classification: openSUSE Product: openSUSE Factory Version: 13.1 Beta 1 Platform: x86-64 OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Bootloader AssignedTo: jsrain@suse.com ReportedBy: nrickert@ameritech.net QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 I made that comment about secure-boot in a forum post http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi... (see comment #21) after describing how I was "cheating" to enable me to boot 13.1. Briefly, I changed grub.cfg as follows: s/linuxefi/linux/ s/initrdefi/initrd/ and that bypasses checking of the signature of the kernel. arvidjaar (Andrey) asked me to post a bug report to have a place for discussion. I'll flag this as an enhancement request for the moment. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c1 --- Comment #1 from Neil Rickert <nrickert@ameritech.net> 2013-09-24 21:00:38 UTC --- My personal opinion - the ability to use encrypted "/boot" is the best way to solve that. My "cheating" isn't really a problem if it requires editing "grub.cfg" in an encrypted "/boot". And the ability to cheat allows booting other versions of linux, possibly including 32-bit versions (not tested). An encrypted "/boot" would also protect the "initrd" which is another weakness in the current scheme. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c2 Andrey Borzenkov <arvidjaar@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arvidjaar@gmail.com --- Comment #2 from Andrey Borzenkov <arvidjaar@gmail.com> 2013-09-25 05:20:24 UTC --- I would not call it enhancement ... rather it sounds like honest security issue. We are providing trusted binary that is able to load arbitrary code WITHOUT ANY SECURITY CHECKS. IOW signed grub.efi should really disable any other loader except linuxefi and secured chainloader. I.e. only those loaders that verify payload via shim should be allowed. Of course, this does not solve the problem of unsigned initrd at all, so it just pushes the problem one level up. But as we are not *executing* it, it strictly speaking is not our (grub) problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c Jiri Srain <jsrain@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jsrain@suse.com |mchang@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c3 --- Comment #3 from Michael Chang <mchang@suse.com> 2013-09-25 08:20:03 UTC --- Yes. Things are like Andrey have explained. The grub2-secureboot-no-insmod-on-sb.patch is ineffective as it only blocks insmod command, but still allow module autoloading (which you're using to cheat) and normal.mod which silently loads module .. Recent grub2-secureboot-no-insmod-on-sb.patch has been refreshed and your trick will no longer work for new factory installation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c4 --- Comment #4 from Andrey Borzenkov <arvidjaar@gmail.com> 2013-09-25 08:52:22 UTC --- (In reply to comment #3)
Recent grub2-secureboot-no-insmod-on-sb.patch has been refreshed and your trick will no longer work for new factory installation.
IIRC Neil was having this problem in 13.1B1 which should already include this patch? Neil, which exact version of grub2 do you have? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c5 Neil Rickert <nrickert@ameritech.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Enhancement |Normal --- Comment #5 from Neil Rickert <nrickert@ameritech.net> 2013-09-25 13:42:44 UTC ---
Neil, which exact version of grub2 do you have?
That trick was with the grub2-efi from 12.3. I can't get the grub from 13.1 to do anything unless I disable secure-boot. In "insmod" really disabled -- perhaps that's part of the problem. In my opinion, it should be checking the validity of insmod loads (either a signature verification or file hash check from a compiled-in list of hashes). I note that the entry to start Windows uses some "insmod" lines. I am not sure to what extent UUID searches depend on "insmod", but if they do then that could also pose a problem with blocking "insmod". I cannot rely on lines such as "set root='hd0,gpt1'". That particular one probably works. But the BIOS hard disk numbering on my box depends on whether a USB disk is plugged in. And on the first boot after install from a USB, there is likely to be a USB flash drive plugged in.
I would not call it enhancement
I'll see if I can change that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c6 --- Comment #6 from Andrey Borzenkov <arvidjaar@gmail.com> 2013-09-26 10:41:11 UTC --- (In reply to comment #5)
That trick was with the grub2-efi from 12.3.
You filed bug against 13.1 Unless you can reproduce it with grub from that version, the bug should be closed as invalid.
In "insmod" really disabled -- perhaps that's part of the problem. In my opinion, it should be checking the validity of insmod loads (either a signature verification or file hash check from a compiled-in list of hashes).
Current grub2 supports (mandatory) signature verification. Minor details are key management and what to do with volatile files (grub.cfg, grubenv and similar) :) But this better is discussed in feature request.
I am not sure to what extent UUID searches depend on "insmod",
Signed grub binary includes support for UUID search. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c7 --- Comment #7 from Michael Chang <mchang@suse.com> 2013-09-27 07:14:04 UTC --- (In reply to comment #6)
Current grub2 supports (mandatory) signature verification. Minor details are key management and what to do with volatile files (grub.cfg, grubenv and similar) :) But this better is discussed in feature request.
IT be a rather big topic. :) I can imagine two of them here .. :) 1. shim might have to offer MOKx to blacklist MOK or hash of binary, therefore if we fix or improve any vulnerability in bootloader (like this case), then it's possible to have a new cert and blacklist the old one (there's seems to be progress or directing on this in upstream shim ..). 2. grub2 is possible to load signed module and signed grubenv file. Well, as long as grub2 only accept gpg signing keys and tools I don't know how can it be integrated to MOK keyrings and probably potential license issues on different crypto implementations etc (openssl/gpg/nss). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c8 --- Comment #8 from Neil Rickert <nrickert@ameritech.net> 2013-09-27 15:25:10 UTC ---
the bug should be closed as invalid. (c #6 )
I won't change it until I have tested a working 13.1 (secure-boot working). I hope I'll see that with RC1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c9 Neil Rickert <nrickert@ameritech.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |INVALID --- Comment #9 from Neil Rickert <nrickert@ameritech.net> 2013-11-30 23:32:42 UTC --- As requested, I am now marking this closed. The released 13.1 does fix the problem of being able to avoid kernel signature check. There is still no check of the integrity of the "initrd" used, and I consider that a weakness of secure-boot. But that's more a limitation than a bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com