View previous topic :: View next topic |
Author |
Message |
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 94
|
Posted: Sat Oct 26, 2024 12:49 am Post subject: Dual System Secure Boot (Gentoo+Windows), shim vs non shim |
|
|
Hi, I am considering secure boot on a dual system (gentoo + win11). I have read few articles and I want to make sure I understand the difference between shim and non shim secure boot in terms of security specifically with reference to one example.
Let’s assume we have a malware on our system which interfered with our boot binary. Let's assume that our private keys are well secured and the malicious actor has no access to them. In the case of non shim, for the system to boot the malware would have to modify the uefi db data. In turn, to do this, you would need a private key PK/KEK (which is not available) or resetting the PK (setup mode) and uploading your own, which would require running UEFI, i.e. physical access to the computer. In this case, the malware would not harm us regarding the boot process.
In the case of shim, the MOK list is modified. Since the MOK list is not stored in UEFI memory, malware could modify not only our boot binary, but also the MOK list without having physical access to the computer, which would make it possible to start the system with replaced boot components. As a result, the safety associated with shim is lower than non shim.
So what are the benefits of shim? From what I understand, there is no need to backup old, delete old and generate new keys and create a compound (old+new) because the shim is signed with a Microsoft certificate. However, we do this at the expense of security, because we transfer some public keys to the operating system level.
Is everything I wrote correct? |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1674 Location: South America
|
Posted: Sat Oct 26, 2024 2:44 pm Post subject: Re: shim vs non shim |
|
|
nxe9 wrote: | Since the MOK list is not stored in UEFI memory, [...] |
The MOK list is stored in UEFI nonvolatile storage, a companion of the Shim program, the MokManager (mmx64.efi on Intel / AMD 64-bit architecture), puts it there (simplifying a bit here). Think of the MOK list as a 'parallel' UEFI db —the variable that can store public keys for verifying the signature of UEFI PE32+ files—.
nxe9 wrote: | So what are the benefits of shim? |
Using the Secure Boot mechanisms, but without touching the PK, KEK, db and dbx. You need firmware cooperation for doing the latter, and there are notoriously bad firmware implementations of the UEFI specification out there...
It might also be convenient for installing binary-based distributions like Debian or Fedora on computers with Secure Boot enabled without having the user touch Secure Boot-related UEFI variables for booting them. _________________
NeddySeagoon wrote: | I'm not a witch, I'm a retired electronics engineer |
Ionen wrote: | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 94
|
Posted: Sat Oct 26, 2024 3:25 pm Post subject: |
|
|
OK, but there is still, in my opinion, a key difference. The MOK list can be reset and overwritten from the system level without knowing the private key. According to https://wiki.gentoo.org/wiki/Shim
Quote: | An import request for shim can be generated with:
Code: | # mokutil --import /boot/sbcert.der |
Next reboot, shim will find that there is a pending import request and launch MokManager. |
In the case of uefi db, I can only do it if I know the private key (PK/KEK) or have access to uefi mode (physical access to the computer). Correct? |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1674 Location: South America
|
Posted: Sat Oct 26, 2024 3:44 pm Post subject: |
|
|
It is mentioned in only one sentence in that Wiki article, but the MokManager does a password verification for that step. There is a procedure for setting up the password for importing a new MOK that I don't see described in the article. _________________
NeddySeagoon wrote: | I'm not a witch, I'm a retired electronics engineer |
Ionen wrote: | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 486
|
Posted: Sat Oct 26, 2024 4:29 pm Post subject: |
|
|
Secure Boot is based on a chain of trust. The root of this trust is the PK (platform key). The PK is usually set by the OEM or mainboard vendor. Where this chain of trust ends depends on the distribution. Normally the chain of trust ends with the signed kernel modules (but might end with shim).
The next step is the KEK (key exchange keys). The KEKs are signed with the PK.
At least one of the KEK is a Microsoft public key which is used to verify the signature of the Microsoft UEFI binaries and also to verify the signature of shim. Usually shim loads then Grub and is normally checking whether Grub is signed with a distribution specific key.
PK and KEK are public keys or certificates (not sure, but I guess they are certificates, not just public keys). They do not contain any private or secret stuff. Then there are at least two lists: db and dbx. The list of known certificates and the list of forbidden certificates (comparable with a CRL in a PKI).
You can replace every bit of this chain of trust, without knowing the private key. But usually this is only possible with physical access to the system. If the MOK list is part of the chain of trust, then the list must be signed with one of the "trustworthy" keys.
In an ideal world, the private keys are not stored (and were not created) on the system that is protected by Secure Boot. |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 94
|
Posted: Sat Oct 26, 2024 6:03 pm Post subject: |
|
|
@GDH-gentoo: In my opinion, this does not change anything, because in fact, to add the signed modules to the MOK list I need to have a private key, but I can clear such MOK list from the system level (just as I can clear the PK and the entire trust chain from the UEFI level). Unless I'm still not understanding something.
@sMueggli: I more or less understand it the way you wrote it. What I meant was that in the case of a shim digitally signed by Microsoft I have two chains of trust. The first one from PK to shim, and the second one after shim. In my opinion, such a chain of trust is easier to break and can be broken from the operating system level. In the case of one continuous chain from PK to kernel modules I am not able to do this. I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. Besides, you wrote about it yourself - "You can replace every bit of this chain of trust, without knowing the private key. But usually this is only possible with physical access to the system.". |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5041 Location: Bavaria
|
Posted: Sat Oct 26, 2024 7:14 pm Post subject: |
|
|
nxe9 wrote: | [...] I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. [...] |
SecureBoot helps you ONLY against offline tampering and NEVER against online attacks. The same applies to FDE (full disk encryption). This also ONLY protects against offline tampering. Both is useless as soon as your machine has started and you sit before your keyboard and do something online.
If you want to protect yourself against online attacks, you need completely different things: Hardened kernel + a MAC system (SELinux or AppArmor) + IntegrityManagement + FireWall + Proxies ... (+ intelligent user not opening ervery mail attachment) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 94
|
Posted: Sat Oct 26, 2024 11:03 pm Post subject: |
|
|
@pietinger: I'm not sure I understand you correctly.
pietinger wrote: | SecureBoot helps you ... NEVER against online attacks. |
I believe that secure boot protects against online attacks targeting the boot process. If the system loads correctly (in the case of secure boot we can assume that the boot process did not contain any malware) and we are sitting in front of the keyboard, then of course we can still be exposed to malware and at this point secure boot does not provide us with any further security. However, the malware will still not be able to targeting the boot process. Do you agree with me? If not, please explain it to me in detail.
Here are quotes from the lenovo website
Quote: | What is a secure boot?
Secure boot is a fundamental security feature in Windows that ensures the integrity of your system's boot process. It functions by verifying the digital signatures of the bootloader and operating system, allowing only trusted and signed code to be executed during startup. This prevents unauthorized or malicious software from compromising the system early in the boot sequence. Enabling secure boot enhances your Windows device's resilience against various cyber threats, providing a crucial layer of defense for the overall security of your computer. It's an essential component in safeguarding against malware and maintaining the integrity of your operating system. |
Quote: | Does secure boot protect against all types of malwares?
Secure boot primarily focuses on safeguarding the boot process by verifying the digital signatures of the bootloader and operating system. While it offers a robust defense against malware attempting to compromise the startup sequence, it doesn't provide comprehensive protection against all types of malwares. Secure boot is effective against threats targeting the boot process, but additional security measures are recommended to ensure a holistic defense. Combining secure boot with reputable antivirus software and regular system updates enhances your overall protection against a broader range of malware threats on Windows. |
Quote: | Can secure boot prevent rootkits?
Yes, secure boot can significantly mitigate the risk of rootkits on Windows systems. By verifying the digital signatures of the bootloader and operating system during startup, secure boot thwarts attempt to install unauthorized code at the foundational level. This proactive measure enhances system integrity and prevents the compromise of the boot process, making it a crucial defense against rootkit attacks on Windows platforms. |
Quote: | Can secure boots prevent "boot kits"?
Yes, secure boots are effective against "boot kits" – a type of malware that infects the boot process. By verifying the digital signatures of the bootloader and operating system, secure boot prevents the installation of unauthorized code during startup, making it challenging for boot kits to compromise the system. |
https://www.lenovo.com/us/en/glossary/secure-boot/
In my opinion, the above holds me in my beliefs. Of course, my knowledge is limited and I am just learning about this topic, so I will be happy to improve. |
|
Back to top |
|
|
peteblank n00b
Joined: 26 Oct 2024 Posts: 4
|
Posted: Sun Oct 27, 2024 2:08 am Post subject: |
|
|
it used to be that bootkits and router malware were rare but apparently now theyre being sold
https://thecyberexpress.com/blacklotus-uefi-bootkit-hacking-forums/amp/
if you ask me i dont like uefi it should have stayed as bios, the bliat that uefi brought made the attack surface wider. it used to be eeprom now its flash so it can be rewritten multiple times without flashibg it with electricity.
imagine if you combine a router malware that hops from device to device with a bootkit and whatever else.
you could be visiting a porn site and ad has malware that can bypass the browsers sandbox and just like that.
i feel better with secure boot but id also feel better getting past the gentoo terminal heh. it can wait. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5041 Location: Bavaria
|
Posted: Sun Oct 27, 2024 2:36 am Post subject: |
|
|
nxe9 wrote: | I believe that secure boot protects against online attacks targeting the boot process. If the system loads correctly (in the case of secure boot we can assume that the boot process did not contain any malware) and we are sitting in front of the keyboard, then of course we can still be exposed to malware and at this point secure boot does not provide us with any further security. However, the malware will still not be able to targeting the boot process. |
The boot process (under Linux) does not end when the kernel is loaded. SecureBoot should guarantee that the first binary that is booted from UEFI has a hash that is secured by signature. After UEFI has passed control to this binary, it is up to this binary to provide further security ... So even if you boot a (stub) kernel directly (which either only loads signed external modules or is a UKI), the chain ends at /sbin/init (*) at the latest. If init can be replaced by an online attack, you will have the same backdoor again the next time you boot the system. IntegrityManagement exists precisely to detect/prevent this.
*) init is not the only process that is started with root rights ...
In the the case of an online attack, a distinction must be made between a “loud” attack (which may be discovered later; because it is a one-off action) that aims to
- Steal data, or
- encrypt data in order to blackmail you
and a “silent” attack (which should not be noticed), which also wants to use your machine in the future to
- serve as a spam slinger or springboard for further attacks on other machines, or
- waits until sensitive data is being processed by the user (and therefore needs to be decrypted) to access it.
Since a loud online attack does not have to survive the system shutdown at all, the question of the security of the system startup is only relevant for quiet online attacks. And in this case, not only init, but also ps, ls, bash and many others are exchanged so that certain queries do not show which processes are really active ... none of this is possible with IMA. _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 486
|
Posted: Sun Oct 27, 2024 10:23 am Post subject: |
|
|
nxe9 wrote: | @sMueggli: I more or less understand it the way you wrote it. What I meant was that in the case of a shim digitally signed by Microsoft I have two chains of trust. The first one from PK to shim, and the second one after shim. In my opinion, such a chain of trust is easier to break and can be broken from the operating system level. In the case of one continuous chain from PK to kernel modules I am not able to do this. I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. Besides, you wrote about it yourself - "You can replace every bit of this chain of trust, without knowing the private key. But usually this is only possible with physical access to the system.". |
There is only one chain of trust. The chain of trust begins with the PK and ends somewhere.
Code: | PK -> KEK -> shim (-> MOK list) -> Grub -> kernel -> kernel modules ... |
There are two phases for the "path processing":
- Path construction: aggregate all certificates necessary to form a complete path
- Path validation: examine each certificate in the path
As a result, the process is either successful or the path validation fails. If you have two chains of trust, the first phase will fail. If it is successful, you have a big problem or only one chain of trust.
Regarding the private key: If you are in possess of the private key (of the PK and/or KEK) you can use it to replace and modify keys (from the operating system). On the other hand, if you lost access to the private key, you should be able to reset the Secure Boot keys.
The KEK is used to establish a trust relationship between the firmware and the operating system:
UEFI Specification 2.8 Errata B, May 2020 wrote: | Key exchange keys establish a trust relationship between the operating system and
the platform firmware. Each operating system (and potentially, each 3rd party
application which need to communicate with platform firmware) enrolls a public key
(KEKpub) into the platform firmware. |
Literature I can recommend:
- C. Adams und S. Lloyd, Understanding PKI : concepts, standards, and deployment considerations, 2nd ed. ;; chapter 9
- UEFI Forum, Unified Extensible Firmware Interface (UEFI) Specification : Version 2.8 Errata B ;; chapter 32
|
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 486
|
Posted: Sun Oct 27, 2024 10:50 am Post subject: |
|
|
pietinger wrote: | nxe9 wrote: | [...] I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. [...] |
SecureBoot helps you ONLY against offline tampering and NEVER against online attacks. The same applies to FDE (full disk encryption). This also ONLY protects against offline tampering. |
Not sure how categorising attacks in online and offline attacks is helping here.
Nevertheless you are mixing some stuff here: Secure Boot and Encryption do not have the same security goal.
Secure Boot guarantees integrity (the I in CIA). This is achieved with asymmetric cryptography. Without having the private key, an attacker should not be able to tamper a file that is in the chain of trust of the Secure Boot process without being noticed. Having the private key, an attacker can do what he wants and Secure Boot is still "working".
Encryption guarantees confidentiality (the C in CIA). This is (mainly) achieved with symmetric cryptography. Encryption algorithms might also include integrity, but this is considered a side effect of the algorithm.
pietinger wrote: | SecureBoot should guarantee that the first binary that is booted from UEFI has a hash that is secured by signature. After UEFI has passed control to this binary, it is up to this binary to provide further security ... |
That is a misconception. Secure Boot is used to glue together the trust between the firmware and the operating system. This chain of trust ends "somewhere" (a natural ending for this chain of trust are the kernel modules). And yes, it is the job of the loaded software to verify things further. But it is still part of Secure Boot. |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 94
|
Posted: Sun Oct 27, 2024 12:54 pm Post subject: |
|
|
sMueggli wrote: | There is only one chain of trust. The chain of trust begins with the PK and ends somewhere. |
OK, but for me it looks a little different, maybe because of my little knowledge. Yesterday I read that Microsoft is embedding distribution vendor certificates (like debian etc.) into the shim. Then the distribution vendors can sign their components and for me the chain of trust between PK and kernel modules is preserved and cannot be broken. The attacker cannot interrupt the chain of trust without knowing the private key of microsoft or the private key of the debian (etc.) vendor. In case I am a private gentoo user and I want to add my components to
Code: | (-> MOK list) -> Grub -> kernel -> kernel modules ... | based on my private key, there is no connection between microsoft and me. More precisely, Microsoft does not have my keys and its shim is not published with my keys, unlike in the case of e.g. Debian. Therefore, if I am responsible for digitally signing components at the operating system level, an attacker could also do it under favorable circumstances (clearing the mok list, entering his certificates based on his priv key and replacing the kernel modules). In the first case it is impossible and this is actually the main topic of my thread.*
In other words, when using Microsoft's shim in the case of the Gentoo distribution, I have less security than when using "Sakaki/Sakaki's EFI Install Guide/Configuring Secure Boot", where I generate the PK.
*Edit: In fact, the attacker can even do this in the case of Debian, because if I can enter keys not related to Microsoft on Gentoo, the attacker could also do it on Debian. For me, this shim concept is weak. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 486
|
Posted: Sun Oct 27, 2024 2:37 pm Post subject: |
|
|
The Fedora way (I might be wrong): Fedora is a Linux distribution and is signing kernel, modules, Grub and probably other stuff with a Fedora-specific (private) key. Then Fedora embeds the public Fedora-specific key in shim. Then Fedora makes a request at Microsoft to sign the (reproducible) build of the Fedora-specific shim. People at Microsoft are analysing the code and probably the process behind (weaknesses in the process, identity [is the requester really part of Fedora and is the requester in the possession of the private key?]) and will sign the Fedora-specific shim binary (or not).
The end user has a PC with a PK (not in possess of the private key) and some KEKs. At least one of the KEK is from Microsoft. Every KEK is signed by the PK. Again, the end user (normally) does not have any private key for the KEKs. But the user does not need to be in possess of any of those private keys.
From https://github.com/rhboot/shim:
Quote: | shim is a trivial EFI application that, when run, attempts to open and execute another application. It will initially attempt to do this via the standard EFI LoadImage() and StartImage() calls. If these fail (because Secure Boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If this succeeds and if the binary or signing key are not forbidden then shim will relocate and execute the binary.
shim will also install a protocol which permits the second-stage bootloader to perform similar binary validation. This protocol has a GUID as described in the shim.h header file and provides a single entry point. On 64-bit systems this entry point expects to be called with SysV ABI rather than MSABI, so calls to it should not be wrapped. |
The Fedora-specific shim fails the initial attempt to verify the Grub binary because the Grub binary is not signed by one of the KEKs. But it will succeed because shim has a built-in certificate (from Fedora) and Grub is signed by Fedora. Then Grub will be loaded and Grub is then responsible for the binary validation process and so on.
In this scenario the user would not be able to self-compile the kernel or sign a kernel module (e.g. for Virtualbox) without disabling Secure Boot or part of the chain of trust. Therefore the MOK mechanism comes into play. This allows to deploy on keys. The security is not guaranteed by calculations based on asymmetric cryptography, but by the "presence of the machine owner". In practice the MOK manager asks for a one-time password that is then needed at the next reboot to deploy the new cert(s). I am pretty sure, that the MOK manager is also signed by Fedora.
If an attacker (or your mom or anybody else) wants to deploy a new cert to the MOK list, the person needs physical access to the computer. And probably needs to know a UEFI (BIOS) password when (re)booting the device?
The MOK lists are stored as EFI variables, exposed to Linux as /sys/firmware/efi/efivars/MokList*.
=============================================
Now the Do-it-Yourself-Secure-Boot way: The entire boot process and Secure Boot mechanism is in the responsibility of the end-user. The end-user can do whatever he wants. From disabling Secure Boot to fully replace PK and all KEKs. The end-user can also limit the length for the chain of trust. There is no right or wrong. But every single decision and action leads to more or less security.
If the end-user replaces the PK he can choose to sign the existing KEKs or also replace the KEKs with own keys. From a minimal setup of one PK and one KEK (I guess and hope it is not possible to use the same certificate for PK and KEK) to potentially several PKs and KEKs.
If you replace the PK and add a new KEK (or several new KEKs) you should not need the MOK list because you can sign all binaries with your KEK(s).
But of course you can also implement the Fedora way and build-in your own keys and rely on MOK. Again: The end-user is fully responsible! The end-user is fully responsible for the secure storage and usage of the own keys! The end-user is also responsible to make sure that only "trustworth" binaries are signed! |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5041 Location: Bavaria
|
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 94
|
Posted: Sun Oct 27, 2024 6:35 pm Post subject: |
|
|
@sMueggli:
Thank you very much. Your description was at a level of abstraction where I could follow. Most of your description made sense to me and that's how I understood most of the issue so far. However, I still had trouble understanding the idea of the MOK list, because in my opinion, introducing it means that an attacker could bypass the whole idea of secure boot from the user space. However, I found the answer on the oracle website, which for me is the missing puzzle in this whole thread.
Quote: | Note that although mokutil is run from user space, it doesn't update the MOK database directly. Instead, mokutil makes keys available to the MOK Management service and triggers the Shim to display the MOK Management menu at boot. This process ensures that keys or hashes are only enrolled within the MOK database by somebody who has physical access to the system and prevents a malicious application or user from changing the MOK database directly from user space. |
https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/sboot-ToolsandApplicationsforAdministeringSecureBoot.html#sb-mokutil-1
In short, the shim implementation ensures that updating the MOK list occurs in the shim itself at boot time with physical user interaction. Therefore, the attacker can only generate an import request from the user space level, but cannot update the MOK list. Now it makes sense to me and this whole concept is waterproof.
Now at least I can make a conscious decision whether to go for shim or my own PK . Thank you all very much for your entries. |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 94
|
Posted: Sat Nov 02, 2024 1:41 am Post subject: |
|
|
I managed to secure boot via shim without bootloader and without touching the firmware with signed UKI. I want to share my knowledge for those who might have problems because not everything is very well documented. I have two systems, one is Gentoo and the other is Windows 11 and it works without any problems as secure boot.
The boot process looks like this in my case
Code: | uefi firmware -> shim (Microsoft UEFI CA 2011) -> MOK Manager (own signature) -> UKI (own signature) |
Of course, I will not repeat what is written in the secure boot and shim articles on the gentoo wiki. You definitely need to read these articles.
1. Make sure your UEFI db cointains Microsoft UEFI CA 2011. In my case, there is a UEFI settings (Allow Microsoft 3 rd Party UEFI CA) that loads the above. The setting is disabled by default on my laptop. In this case the CA 2011 is not loaded into uefi db and the system will not boot because shim is signed with it. I missed it and it took me a long time to figure it out.
Quote: | and the Microsoft UEFI CA 2011 (or third-party UEFI CA), which signs third-party OS and hardware driver components. |
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324
2. Rename your signed UKI to grubx64.efi. Probably shim requires such a name. In my case the signed UKI was created using gentoo-kernel (which invokes installkernel, use flags: dracut and uki).
3. Sign the MOK Manager (mmx64.efi). You probably cannot use the secureboot flag on sys-boot/shim because there is a pass phrase input bug in case of encrypted private key. So MOK Manager will not be signed and you have to do it manually. See https://forums.gentoo.org/viewtopic-t-1171516.html for details. The topic concerns grub, but in the case of shim there will probably be the same problem. In that thread you will also find an sbsign code snippet that you can use to sign the MOK Manager. Alternatively, you can add the fedora certificate to the MOK list, because MOK Manager is signed by fedora. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|