Received: by 10.213.65.68 with SMTP id h4csp2264988imn; Thu, 5 Apr 2018 11:50:41 -0700 (PDT) X-Google-Smtp-Source: AIpwx49HUG2Ke4cbdAtN+lKBfiFweQDWfFa8Qy3O+FIc7xLfTKbMFt1UMx8LkvTxbIlmVw6dzMM0 X-Received: by 2002:a17:902:6ec5:: with SMTP id l5-v6mr23762679pln.113.1522954241219; Thu, 05 Apr 2018 11:50:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522954241; cv=none; d=google.com; s=arc-20160816; b=uBYNWzXOhkA4f04czNe8VV+9Iq/DozycAUiJzEuD0KIO25Nvo3Qe5FbNcKVECt0ci2 RfQaqiBOkBd2cG06xM7dvT1K9aZmPiVLEZlErMON9yq3u9tCqjdaQ7w8GTpUon7wF/rQ qLUZ5z7j1gInSFO69E3G+H3ipKoExxBAExSvOuLSVv/zognH2CnJJVuLerrKnOi1arTI MZ243LD512dqNSTu9cDjsWfJD3VKr8JhHuWg68V0zlWbCL3hT+Ze0G+MPpAI47Utf0U2 OU7kCVyJeEOBh2DDmfFaX9BmK6l6ERG0GTp8NF8ZpeOYt2QxJtdVmFCNhRtWkx1hWU22 HUqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=wq61rPRZ2JwpkcYew1aQmZTyEEw62horT4ZR4jCMnTY=; b=L34kkzBarVlTPXKk/B/6Bm7IVVw7BmKgf+MPb4RjS6xnhHGCG/UUw22CYMOCXbdjS3 q+Y2L+CRmUMKaq/q3sLfK44irzXU9xnf4orD04CNJ324jILEQdZ5+TX8Ot2omnnkmji/ 0xAD6GFLhdyM/QW6D0blURgue7z5+XZ2RfjZHCtiBWjB8LWbxCk/Qm2Psd0b2XzQLaJR j7MSu6278IQrsX+jhYI1RTiujXkCR7RXCCiR6+sW7q8yJ+D9q7DswAGq0t9rIQPHQBmx k+Poua+WZeA4uXUpJ6ofd/A+GwL4wyndXTidxMywgu4o4kMCRN8mCn2wtmI6WuSMwEm0 ZEeg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t125si5899955pgc.6.2018.04.05.11.50.25; Thu, 05 Apr 2018 11:50:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753211AbeDESsa (ORCPT + 99 others); Thu, 5 Apr 2018 14:48:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:57246 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752885AbeDESsY (ORCPT ); Thu, 5 Apr 2018 14:48:24 -0400 Received: from mail-io0-f177.google.com (mail-io0-f177.google.com [209.85.223.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6A01F21835 for ; Thu, 5 Apr 2018 18:48:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6A01F21835 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f177.google.com with SMTP id y128so31791972iod.4 for ; Thu, 05 Apr 2018 11:48:13 -0700 (PDT) X-Gm-Message-State: AElRT7FO4XPnSJdbJx7ngMM3A8q8o6Who5VX17uITIg1WBzQmlqgFDXb WPEGwDnHgsNdk8Q0PaTlabRHVGyn2iMq9M5xVf48kg== X-Received: by 10.107.57.84 with SMTP id g81mr21292581ioa.6.1522954092707; Thu, 05 Apr 2018 11:48:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Thu, 5 Apr 2018 11:47:52 -0700 (PDT) In-Reply-To: <20180404184255.exdrtpqnxlqme7tl@redhat.com> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <20180404184255.exdrtpqnxlqme7tl@redhat.com> From: Andy Lutomirski Date: Thu, 5 Apr 2018 11:47:52 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Peter Jones Cc: Andy Lutomirski , Matthew Garrett , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 4, 2018 at 11:42 AM, Peter Jones wrote: > On Tue, Apr 03, 2018 at 02:51:23PM -0700, Andy Lutomirski wrote: >> On Tue, Apr 3, 2018 at 12:29 PM, Matthew Garrett wrote: >> Can someone please explain why the UEFI crowd cares so much about "as >> a bootloader"? Once I'm able to install an OS (Linux kernel + >> bootloader, Windows embedded doodad, OpenBSD, whatever) on your >> machine, I can use your peripherals, read your data, write your data, >> see your keystrokes, use your network connection, re-flash your BIOS >> (at least as well as any OS can), run VMs, and generally own your >> system. Somehow you all seem fine with all of this, except that the >> fact that I can chainload something else gives UEFI people the >> willies. >> >> Can someone explain why? > > There's no inherent difference, in terms of the trust chain, between > compromising it to use the machine as a toaster or to run a botnet - the > trust chain is compromised either way. But you're much more likely to > notice if your desktop starts producing bread products than if it hides > some malware and keeps on booting, and the second one is much more > attractive to attackers anyway. > > The reason we talk about it as a bootloader is because of the model > employed by malware. I'm sure you know that one kind of malware that > exists in the wild, a so-called "boot kit", operates by modifying a > kernel during load (or on disk before loading) so that it has some > malicious payload, like exfiltrating user data or allowing a way to > install software that the kernel hides or *whatever*, and incorporating > some way to achieve relative persistence on the system - for example > hiding the real boot settings and loading a kernel with a different than > normal initramfs that loads an exploit before continuing with a normal > looking boot. This is a fair point, but I wonder how much it matters in practice. If I'm writing a bootkit, I can think of at least four ways to do it. 1. The easy way. Write a malicious bootloader that modifies the kernel image to insert malicious code. Stock secure boot makes this awkward because you need a signed bootloader. It's worth noting that a non-locked-down signed Linux kernel is actually a rather awkward way to do this because it will add several seconds to the boot and may show a splash screen unless you're rather careful. 2. The CPL3 way. Write a malicious initramfs that inserts the malicious code in PID 1 instead. This might be easier to get working across a variety of Linux kernels, but it's more awkward to hide well from userspace. Conventional secure boot (with the stock MS keys) doesn't help at all. 3. The nasty way. Find a known exploitable kernel or bootloader, and use it to do your evil deeds. This is very, very hard to protect against with normal secure boot. 4. The VM-kit way. Use a signed, locked down, perfectly secure kernel and run your pwned system as a VM guest. Secure boot doesn't help one whit. *All* of these variants are avoided by a real, working verified boot approach that chains all the way down to the running system image, and *that* solution doesn't need cpl0 and cpl3 to be separated. So I find myself wondering whether the bootkit argument is actually very compelling.