Received: by 10.223.185.116 with SMTP id b49csp676138wrg; Wed, 14 Feb 2018 05:22:26 -0800 (PST) X-Google-Smtp-Source: AH8x224e3W7NS6W0DS0DGK7IHzf//TA2V1rPYHwilWi1pqbm5d6uh+u6ZANQ7fEGR6ilIt5m+MLm X-Received: by 10.101.77.140 with SMTP id p12mr3876267pgq.195.1518614546790; Wed, 14 Feb 2018 05:22:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518614546; cv=none; d=google.com; s=arc-20160816; b=W1NNXMDHDEpGPWiO5FMHdYm4+iIc07uWdQxxxWdPDi6NNud5Um3VPdOIPY2GLCysOR TNP1VY8BaLuQN8iywHwNTqu0rZG2/XxHvMdSvvQDLshMj8gisbdoWl9zRZU/srQy8JWz rbTZfKI8wSVqtf18JabBScpbEe76Yp1Dg55iTIi7to0+cEjnA9axQ1qaRbScwUk5+jYD IehNBHXKiHvvBdpXxdAVPLmuqGO2h1Bb4KPlcahbCxlzD6dIBGQJ6/ggQ0Xuk4VQ+Dh6 pUq1jQY7yK7fP8OjkU/exSaq1SfTNM+CSJWmm70/lJN9drULFvIP5EBkwuzQG+MNiuD5 QA7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=Fn6BXcT5km62jJmmCI3VfgzCTps1D3eQdpsRGQmGLfM=; b=CsayetHgVnNWOZU2pLw6XbigRi+bZ0QcvOEplgXQ03If4ZW1+z9NeWQDug9zmcwG/J fQcbfelZ0wVGQpXBO+duBE9EB3xWg/lMBf7PD24hSGZxWxLafE5bSeojgb7r83WjJUMt K5YGPa7xgGReltwmxSzAfgKg/qP5chvFbK7oD69E8TGeT7DeEQV2kHHaWpyf7MBfDZ/s /iCBIN/bH4+KX16myJ0RwNybeuTGJLIZxdBD1Yf2+XOTzrZF/90g9F6PiCj861CgplXT X66Hzfhjd+7YwJTviGm2HiLlSTJJYAngivmvktaqtnilcnnw7b6ytU1iu9NBNLxmLqun 2tiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@profitbricks-com.20150623.gappssmtp.com header.s=20150623 header.b=D11lt+tB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7si634205pgr.492.2018.02.14.05.22.11; Wed, 14 Feb 2018 05:22:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@profitbricks-com.20150623.gappssmtp.com header.s=20150623 header.b=D11lt+tB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967828AbeBNNVb (ORCPT + 99 others); Wed, 14 Feb 2018 08:21:31 -0500 Received: from mail-wm0-f42.google.com ([74.125.82.42]:52739 "EHLO mail-wm0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967798AbeBNNV3 (ORCPT ); Wed, 14 Feb 2018 08:21:29 -0500 Received: by mail-wm0-f42.google.com with SMTP id j199so10484683wmj.2 for ; Wed, 14 Feb 2018 05:21:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=profitbricks-com.20150623.gappssmtp.com; s=20150623; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=Fn6BXcT5km62jJmmCI3VfgzCTps1D3eQdpsRGQmGLfM=; b=D11lt+tBWPlPaTMseo55cHgnXoEkcNsNIV0CrMa3qW7mGP25N/N2zNztSoYU/JVBzi 2K4VXWWgGWWFcr7Jcbd3sC8JTJeH5uqVD6X6aWCQYqRayt0qwVJMLV9YdyHEDmKwXvxA A7drUKRIdl2C0uClGLstjWMbeKRv6AdoGf1BHEUl41lCDG0e/ZdjqjM7PLzZ0B/DyGxm kSFLIEfuJpfe+wx/jayRhnIEpBXZAWZBd2Q/8cgVq87MBi5sHTLlEaaGNWvPc5UUpTCe IpMpajcoS0gKU88/vkBZSKBhYesrwejLXcIk63H8gw+iXX2a8CzBt0O3LNd0/Kw0z51g T81A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=Fn6BXcT5km62jJmmCI3VfgzCTps1D3eQdpsRGQmGLfM=; b=a0GA7N+TlS86n+lUf1oLy6P0VtXOEZPOy4bnaZHxc7DnczMTx7ADECH5LFvJsI/M+N 0uxZxMf0LQP4ml6lhWMztdqx0r95SUR4NXHiqg7ghSy+Ahrz6SznWqA3CGdVfBjgy3/2 DU2wXWza/gGgg1eULv5wU+mQ3qOTUuzYl9/6djH3h+p4MhMLRemEHMoubWvDcWWBR1pK cIkOrOBEqKNGxeHqY5qX4oONS2GKiscNYbBpPNc9SMUqy1gCPOx3meoU4upWQ4BAZvQI J0WpPf3I8kIO1cmQRrfTluG1k8BZCL/V6tSEArfFPfs38mbVo5UZgnOufJK8IDxIo5fw nBGw== X-Gm-Message-State: APf1xPC5vVl+Qau1YAhSuExmdAv7bAhc0iDe70tgDA7rr4YjczW/xz8t XqwZ1yzBqOf5qnjcgiC0eqK9ow== X-Received: by 10.80.180.173 with SMTP id w42mr1796711edd.41.1518614488151; Wed, 14 Feb 2018 05:21:28 -0800 (PST) Received: from konstrukt ([62.217.45.26]) by smtp.googlemail.com with ESMTPSA id w2sm9224248edb.25.2018.02.14.05.21.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 14 Feb 2018 05:21:27 -0800 (PST) Message-ID: <1518614486.4749.33.camel@profitbricks.com> Subject: Re: Read-protected UEFI variables From: Benjamin Drung To: Ard Biesheuvel Cc: Matthew Garrett , Jeremy Kerr , Matt Fleming , linux-efi@vger.kernel.org, Linux Kernel Mailing List Date: Wed, 14 Feb 2018 14:21:26 +0100 In-Reply-To: References: <1518612748.4749.29.camel@profitbricks.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.1-1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Mittwoch, den 14.02.2018, 13:09 +0000 schrieb Ard Biesheuvel: > On 14 February 2018 at 12:52, Benjamin Drung > wrote: > > Hi, > > > > I am exploring the possibility to store SSH and other keys in UEFI > > variables for systems that do not have persistent storage. These > > systems boot via network and need individual SSH keys which ideally > > should not be distributed via network. > > > > The plan is to write a small daemon that starts at boot and gets > > the > > SSH keys from EFI variables to individualize the system with SSH > > keys. > > I plan to release the code as free software. Simple proof-of- > > concept > > code: > > > > mount -t efivarfs none /sys/firmware/efi/efivars > > for key in ssh_host_dsa_key ssh_host_ecdsa_key ssh_host_rsa_key; do > > dd ibs=1 skip=4 if=/sys/firmware/efi/efivars/${key}-89df11f4- > > 38e6-473e-ab43-b4406b76fba9 of=/etc/ssh/$key > > done > > > > I am not the first person having the idea to use UEFI variables to > > store keys: > > https://www.usenix.org/conference/srecon17asia/program/presentation > > /korgachin > > > > There is one problem: The keys should be readable only by root. > > When > > mounting efivarfs, all variables have the permission 644 which > > makes > > them readable by all users. I have different ideas how to solve it: > > > > 1) Hard-code a list of GUIDs that should be only readable by root > > in > > the kernel module. These modules would also be not set to > > immutable. > > > > 2) Instead of hard-coding GUIDs, add a kernel module parameter to > > specify the GUIDs. Maybe have a default list in the kernel module. > > > > 3) Add a mount option to specify the protected GUIDs. > > > > Feedback is welcome. > > > > I'd consider a patch that makes the permissions a mount option for > efivarfs, applying to all variables. The reason is that these > variables shouldn't have been world readable in the first place, and > I > am reluctant to make this overly complex. Having some variables (like the BootXXXX and BootOrder variables) world readable is useful. This allows normal users to run 'efibootmgr' to display the boot options. > On the other hand, you should realize that UEFI was never designed to > keep secrets, and so whether it is a good idea to put secrets in UEFI > variables to begin with is dubious IMHO. If the UEFI is as secure as storing an unencrypted file on a hard drive, I am satisfied. Or do you have a better idea where to store the SSH keys for a diskless system that boots via network? -- Benjamin Drung System Developer Debian & Ubuntu Developer ProfitBricks GmbH Greifswalder Str. 207 D - 10405 Berlin Email: benjamin.drung@profitbricks.com URL: https://www.profitbricks.de Sitz der Gesellschaft: Berlin Registergericht: Amtsgericht Charlottenburg, HRB 125506 B Geschäftsführer: Achim Weiss, Matthias Steinberg