| View previous topic :: View next topic |
| Author |
Message |
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 86
|
 Posted: Sat Oct 26, 2024 12:49 am Post subject: Dual System Secure Boot (Gentoo+Windows), shim vs non shim |
 |
|
Hi, I am considering secure boot on a dual system (gentoo + win11). I have read few articles and I want to make sure I understand the difference between shim and non shim secure boot in terms of security specifically with reference to one example.
Let’s assume we have a malware on our system which interfered with our boot binary. Let's assume that our private keys are well secured and the malicious actor has no access to them. In the case of non shim, for the system to boot the malware would have to modify the uefi db data. In turn, to do this, you would need a private key PK/KEK (which is not available) or resetting the PK (setup mode) and uploading your own, which would require running UEFI, i.e. physical access to the computer. In this case, the malware would not harm us regarding the boot process.
In the case of shim, the MOK list is modified. Since the MOK list is not stored in UEFI memory, malware could modify not only our boot binary, but also the MOK list without having physical access to the computer, which would make it possible to start the system with replaced boot components. As a result, the safety associated with shim is lower than non shim.
So what are the benefits of shim? From what I understand, there is no need to backup old, delete old and generate new keys and create a compound (old+new) because the shim is signed with a Microsoft certificate. However, we do this at the expense of security, because we transfer some public keys to the operating system level.
Is everything I wrote correct? |
|
| Back to top |
|
 |
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1671
Location: South America
|
| Posted: Sat Oct 26, 2024 2:44 pm Post subject: Re: shim vs non shim |
|
|
| nxe9 wrote: | | Since the MOK list is not stored in UEFI memory, [...] |
The MOK list is stored in UEFI nonvolatile storage, a companion of the Shim program, the MokManager (mmx64.efi on Intel / AMD 64-bit architecture), puts it there (simplifying a bit here). Think of the MOK list as a 'parallel' UEFI db —the variable that can store public keys for verifying the signature of UEFI PE32+ files—.
| nxe9 wrote: | | So what are the benefits of shim? |
Using the Secure Boot mechanisms, but without touching the PK, KEK, db and dbx. You need firmware cooperation for doing the latter, and there are notoriously bad firmware implementations of the UEFI specification out there...
It might also be convenient for installing binary-based distributions like Debian or Fedora on computers with Secure Boot enabled without having the user touch Secure Boot-related UEFI variables for booting them.
_________________
| NeddySeagoon wrote: | I'm not a witch, I'm a retired electronics engineer  |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 86
|
| Posted: Sat Oct 26, 2024 3:25 pm Post subject: |
|
|
OK, but there is still, in my opinion, a key difference. The MOK list can be reset and overwritten from the system level without knowing the private key. According to https://wiki.gentoo.org/wiki/Shim
| Quote: | An import request for shim can be generated with:
| Code: | | # mokutil --import /boot/sbcert.der |
Next reboot, shim will find that there is a pending import request and launch MokManager. |
In the case of uefi db, I can only do it if I know the private key (PK/KEK) or have access to uefi mode (physical access to the computer). Correct? |
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1671
Location: South America
|
| Posted: Sat Oct 26, 2024 3:44 pm Post subject: |
|
|
It is mentioned in only one sentence in that Wiki article, but the MokManager does a password verification for that step. There is a procedure for setting up the password for importing a new MOK that I don't see described in the article.
_________________
| NeddySeagoon wrote: | | I'm not a witch, I'm a retired electronics engineer |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 471
|
| Posted: Sat Oct 26, 2024 4:29 pm Post subject: |
|
|
Secure Boot is based on a chain of trust. The root of this trust is the PK (platform key). The PK is usually set by the OEM or mainboard vendor. Where this chain of trust ends depends on the distribution. Normally the chain of trust ends with the signed kernel modules (but might end with shim).
The next step is the KEK (key exchange keys). The KEKs are signed with the PK.
At least one of the KEK is a Microsoft public key which is used to verify the signature of the Microsoft UEFI binaries and also to verify the signature of shim. Usually shim loads then Grub and is normally checking whether Grub is signed with a distribution specific key.
PK and KEK are public keys or certificates (not sure, but I guess they are certificates, not just public keys). They do not contain any private or secret stuff. Then there are at least two lists: db and dbx. The list of known certificates and the list of forbidden certificates (comparable with a CRL in a PKI).
You can replace every bit of this chain of trust, without knowing the private key. But usually this is only possible with physical access to the system. If the MOK list is part of the chain of trust, then the list must be signed with one of the "trustworthy" keys.
In an ideal world, the private keys are not stored (and were not created) on the system that is protected by Secure Boot. |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 86
|
| Posted: Sat Oct 26, 2024 6:03 pm Post subject: |
|
|
@GDH-gentoo: In my opinion, this does not change anything, because in fact, to add the signed modules to the MOK list I need to have a private key, but I can clear such MOK list from the system level (just as I can clear the PK and the entire trust chain from the UEFI level). Unless I'm still not understanding something.
@sMueggli: I more or less understand it the way you wrote it. What I meant was that in the case of a shim digitally signed by Microsoft I have two chains of trust. The first one from PK to shim, and the second one after shim. In my opinion, such a chain of trust is easier to break and can be broken from the operating system level. In the case of one continuous chain from PK to kernel modules I am not able to do this. I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. Besides, you wrote about it yourself - "You can replace every bit of this chain of trust, without knowing the private key. But usually this is only possible with physical access to the system.". |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5016
Location: Bavaria
|
| Posted: Sat Oct 26, 2024 7:14 pm Post subject: |
|
|
| nxe9 wrote: | | [...] I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. [...] |
SecureBoot helps you ONLY against offline tampering and NEVER against online attacks. The same applies to FDE (full disk encryption). This also ONLY protects against offline tampering. Both is useless as soon as your machine has started and you sit before your keyboard and do something online.
If you want to protect yourself against online attacks, you need completely different things: Hardened kernel + a MAC system (SELinux or AppArmor) + IntegrityManagement + FireWall + Proxies ... (+ intelligent user not opening ervery mail attachment) 
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 86
|
| Posted: Sat Oct 26, 2024 11:03 pm Post subject: |
|
|
@pietinger: I'm not sure I understand you correctly.
| pietinger wrote: | | SecureBoot helps you ... NEVER against online attacks. |
I believe that secure boot protects against online attacks targeting the boot process. If the system loads correctly (in the case of secure boot we can assume that the boot process did not contain any malware) and we are sitting in front of the keyboard, then of course we can still be exposed to malware and at this point secure boot does not provide us with any further security. However, the malware will still not be able to targeting the boot process. Do you agree with me? If not, please explain it to me in detail.
Here are quotes from the lenovo website
| Quote: | What is a secure boot?
Secure boot is a fundamental security feature in Windows that ensures the integrity of your system's boot process. It functions by verifying the digital signatures of the bootloader and operating system, allowing only trusted and signed code to be executed during startup. This prevents unauthorized or malicious software from compromising the system early in the boot sequence. Enabling secure boot enhances your Windows device's resilience against various cyber threats, providing a crucial layer of defense for the overall security of your computer. It's an essential component in safeguarding against malware and maintaining the integrity of your operating system. |
| Quote: | Does secure boot protect against all types of malwares?
Secure boot primarily focuses on safeguarding the boot process by verifying the digital signatures of the bootloader and operating system. While it offers a robust defense against malware attempting to compromise the startup sequence, it doesn't provide comprehensive protection against all types of malwares. Secure boot is effective against threats targeting the boot process, but additional security measures are recommended to ensure a holistic defense. Combining secure boot with reputable antivirus software and regular system updates enhances your overall protection against a broader range of malware threats on Windows. |
| Quote: | Can secure boot prevent rootkits?
Yes, secure boot can significantly mitigate the risk of rootkits on Windows systems. By verifying the digital signatures of the bootloader and operating system during startup, secure boot thwarts attempt to install unauthorized code at the foundational level. This proactive measure enhances system integrity and prevents the compromise of the boot process, making it a crucial defense against rootkit attacks on Windows platforms. |
| Quote: | Can secure boots prevent "boot kits"?
Yes, secure boots are effective against "boot kits" – a type of malware that infects the boot process. By verifying the digital signatures of the bootloader and operating system, secure boot prevents the installation of unauthorized code during startup, making it challenging for boot kits to compromise the system. |
https://www.lenovo.com/us/en/glossary/secure-boot/
In my opinion, the above holds me in my beliefs. Of course, my knowledge is limited and I am just learning about this topic, so I will be happy to improve. |
|
| Back to top |
|
|
peteblank
n00b
Joined: 26 Oct 2024
Posts: 4
|
| Posted: Sun Oct 27, 2024 2:08 am Post subject: |
|
|
it used to be that bootkits and router malware were rare but apparently now theyre being sold
https://thecyberexpress.com/blacklotus-uefi-bootkit-hacking-forums/amp/
if you ask me i dont like uefi it should have stayed as bios, the bliat that uefi brought made the attack surface wider. it used to be eeprom now its flash so it can be rewritten multiple times without flashibg it with electricity.
imagine if you combine a router malware that hops from device to device with a bootkit and whatever else.
you could be visiting a porn site and ad has malware that can bypass the browsers sandbox and just like that.
i feel better with secure boot but id also feel better getting past the gentoo terminal heh. it can wait. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5016
Location: Bavaria
|
| Posted: Sun Oct 27, 2024 2:36 am Post subject: |
|
|
| nxe9 wrote: | | I believe that secure boot protects against online attacks targeting the boot process. If the system loads correctly (in the case of secure boot we can assume that the boot process did not contain any malware) and we are sitting in front of the keyboard, then of course we can still be exposed to malware and at this point secure boot does not provide us with any further security. However, the malware will still not be able to targeting the boot process. |
The boot process (under Linux) does not end when the kernel is loaded. SecureBoot should guarantee that the first binary that is booted from UEFI has a hash that is secured by signature. After UEFI has passed control to this binary, it is up to this binary to provide further security ... So even if you boot a (stub) kernel directly (which either only loads signed external modules or is a UKI), the chain ends at /sbin/init (*) at the latest. If init can be replaced by an online attack, you will have the same backdoor again the next time you boot the system. IntegrityManagement exists precisely to detect/prevent this.
*) init is not the only process that is started with root rights ...
In the the case of an online attack, a distinction must be made between a “loud” attack (which may be discovered later; because it is a one-off action) that aims to
- Steal data, or
- encrypt data in order to blackmail you
and a “silent” attack (which should not be noticed), which also wants to use your machine in the future to
- serve as a spam slinger or springboard for further attacks on other machines, or
- waits until sensitive data is being processed by the user (and therefore needs to be decrypted) to access it.
Since a loud online attack does not have to survive the system shutdown at all, the question of the security of the system startup is only relevant for quiet online attacks. And in this case, not only init, but also ps, ls, bash and many others are exchanged so that certain queries do not show which processes are really active ... none of this is possible with IMA.
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 471
|
| Posted: Sun Oct 27, 2024 10:23 am Post subject: |
|
|
| nxe9 wrote: | | @sMueggli: I more or less understand it the way you wrote it. What I meant was that in the case of a shim digitally signed by Microsoft I have two chains of trust. The first one from PK to shim, and the second one after shim. In my opinion, such a chain of trust is easier to break and can be broken from the operating system level. In the case of one continuous chain from PK to kernel modules I am not able to do this. I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. Besides, you wrote about it yourself - "You can replace every bit of this chain of trust, without knowing the private key. But usually this is only possible with physical access to the system.". |
There is only one chain of trust. The chain of trust begins with the PK and ends somewhere.
| Code: | | PK -> KEK -> shim (-> MOK list) -> Grub -> kernel -> kernel modules ... |
There are two phases for the "path processing":
- Path construction: aggregate all certificates necessary to form a complete path
- Path validation: examine each certificate in the path
As a result, the process is either successful or the path validation fails. If you have two chains of trust, the first phase will fail. If it is successful, you have a big problem or only one chain of trust.
Regarding the private key: If you are in possess of the private key (of the PK and/or KEK) you can use it to replace and modify keys (from the operating system). On the other hand, if you lost access to the private key, you should be able to reset the Secure Boot keys.
The KEK is used to establish a trust relationship between the firmware and the operating system:
| UEFI Specification 2.8 Errata B, May 2020 wrote: | Key exchange keys establish a trust relationship between the operating system and
the platform firmware. Each operating system (and potentially, each 3rd party
application which need to communicate with platform firmware) enrolls a public key
(KEKpub) into the platform firmware. |
Literature I can recommend:
- C. Adams und S. Lloyd, Understanding PKI : concepts, standards, and deployment considerations, 2nd ed. ;; chapter 9
- UEFI Forum, Unified Extensible Firmware Interface (UEFI) Specification : Version 2.8 Errata B ;; chapter 32
|
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 471
|
| Posted: Sun Oct 27, 2024 10:50 am Post subject: |
|
|
| pietinger wrote: | | nxe9 wrote: | | [...] I'm leaving out the issue of physical access, because then you can actually manipulate everything, but that's a different topic. [...] |
SecureBoot helps you ONLY against offline tampering and NEVER against online attacks. The same applies to FDE (full disk encryption). This also ONLY protects against offline tampering. |
Not sure how categorising attacks in online and offline attacks is helping here.
Nevertheless you are mixing some stuff here: Secure Boot and Encryption do not have the same security goal.
Secure Boot guarantees integrity (the I in CIA). This is achieved with asymmetric cryptography. Without having the private key, an attacker should not be able to tamper a file that is in the chain of trust of the Secure Boot process without being noticed. Having the private key, an attacker can do what he wants and Secure Boot is still "working".
Encryption guarantees confidentiality (the C in CIA). This is (mainly) achieved with symmetric cryptography. Encryption algorithms might also include integrity, but this is considered a side effect of the algorithm.
| pietinger wrote: | | SecureBoot should guarantee that the first binary that is booted from UEFI has a hash that is secured by signature. After UEFI has passed control to this binary, it is up to this binary to provide further security ... |
That is a misconception. Secure Boot is used to glue together the trust between the firmware and the operating system. This chain of trust ends "somewhere" (a natural ending for this chain of trust are the kernel modules). And yes, it is the job of the loaded software to verify things further. But it is still part of Secure Boot. |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 86
|
| Posted: Sun Oct 27, 2024 12:54 pm Post subject: |
|
|
| sMueggli wrote: | | There is only one chain of trust. The chain of trust begins with the PK and ends somewhere. |
OK, but for me it looks a little different, maybe because of my little knowledge. Yesterday I read that Microsoft is embedding distribution vendor certificates (like debian etc.) into the shim. Then the distribution vendors can sign their components and for me the chain of trust between PK and kernel modules is preserved and cannot be broken. The attacker cannot interrupt the chain of trust without knowing the private key of microsoft or the private key of the debian (etc.) vendor. In case I am a private gentoo user and I want to add my components to
| Code: | | (-> MOK list) -> Grub -> kernel -> kernel modules ... |
based on my private key, there is no connection between microsoft and me. More precisely, Microsoft does not have my keys and its shim is not published with my keys, unlike in the case of e.g. Debian. Therefore, if I am responsible for digitally signing components at the operating system level, an attacker could also do it under favorable circumstances (clearing the mok list, entering his certificates based on his priv key and replacing the kernel modules). In the first case it is impossible and this is actually the main topic of my thread.*
In other words, when using Microsoft's shim in the case of the Gentoo distribution, I have less security than when using "Sakaki/Sakaki's EFI Install Guide/Configuring Secure Boot", where I generate the PK.
*Edit: In fact, the attacker can even do this in the case of Debian, because if I can enter keys not related to Microsoft on Gentoo, the attacker could also do it on Debian. For me, this shim concept is weak. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
