Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Secure Boot Patches Break Hibernation

Posted by Unknown on from the intentional-side-effects dept.

hypnosec writes "Matthew Garrett published some patches today which break hibernate and kexec support on Linux when Secure Boot is used. The reason for disabling hibernation is that currently the Linux kernel doesn't have the capability of verifying the resume image when returning from hibernation, which compromises the Secure Boot trust model. The reason for disabling the kexec support while running in Secure Boot is that the kernel execution mechanism may be used to load a modified kernel thus bypassing the trust model of Secure Boot." Before arming your tactical nuclear flame cannon, note that mjg says "These patches break functionality that people rely on without providing any functional equivalent, so I'm not suggesting that they be merged as-is." Support for signed kexec should come eventually, but it looks like hibernation will require some clever hacking to support properly in a Restricted Boot environment.

18 of 196 comments (clear)

  1. Why is this a story again? by Anonymous Coward · · Score: 3, Insightful

    A patch that is not going to be merged into the kernel proper breaks hibernation with secure boot in Linux...some editor is trying desperately hard to get a flame war started. If you're really that desperate for ideas try something creative, like creating a fake petition to have Minecraft converted from Java to C#. It's not hard to start a flame war.

    Fucktard.

  2. Certificates can be revoked by tepples · · Score: 5, Interesting

    A patch that is not going to be merged into the kernel proper breaks hibernation with secure boot in Linux

    Perhaps the fear is that if the patch is not merged, Microsoft will revoke the certificates that have been used to sign mainstream GNU/Linux distributions.

    1. Re:Certificates can be revoked by Trogre · · Score: 3, Insightful

      Is no one else here alarmed at the unreasonable amount of power Microsoft has over the future of GNU/Linux on Secure Boot platforms?

      That alone should be cause enough to lobby hardware manufacturers to have secure boot abolished and to hell with those little "Works with Windows 8" stickers.

      Microsoft have already mandated that systems with ARM platforms MUST NOT have an option to disable Secure Boot. Therefore the only software that will boot on these systems is software that Microsoft has blessed. I know they would love nothing more to dictate such terms on x86 hardware too. I predict that within five years, notwithstanding active opposition RIGHT NOW, they will do exactly this.

      This, like climate change, is something I really, really hope I am wrong about but fear that I am not.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    2. Re:Certificates can be revoked by Nerdfest · · Score: 5, Interesting

      I just bought a very nice laptop from System76. Good price/performance, fantastic Linux comparability, and no Microsoft tax. I figured I might as well put my money where my mouth is on supporting vendors that have good support for Linux.

  3. lm-sensors by tepples · · Score: 3, Funny

    My system doesn't hibernate, it passes out from exhaustion.

    You could try setting up lm-sensors. Or is your motherboard not supported?

  4. Re:Making root not root? by Rockoon · · Score: 5, Informative

    You really dont seem to understand the technologies involved.

    Hibernation does a complete dump of the memory and thread state of the system to disk, and when the computer is later booted a well behaved loader sees the dump and restores the memory and thread states from disk.

    The problem is that anyone with physical access can fuck with the memory dump in between the hibernation and the restore, thereby injecting untrusted code into the supposedly trusted environment.

    But thanks for giving us your ignorant opinion.

    --
    "His name was James Damore."
  5. Sign the hibernation file by tepples · · Score: 3, Interesting

    The problem is that anyone with physical access can fuck with the memory dump in between the hibernation and the restore

    Anyone with physical access can probably reset the BIOS password and turn off secure boot. But barring that, perhaps one solution is to sign the memory dump with a key stored in the TPM.

    1. Re:Sign the hibernation file by Rockoon · · Score: 3, Informative

      Anyone with physical access can probably reset the BIOS password and turn off secure boot.

      The point of secure boot is to make possible a chain of proof attesting that everything that gets loaded into ring0 has not been modified. Clearly if you can disable the chain of proof then you can disabled the chain of proof, but you cannot do so invisibly, which is the entire point of secure boot.

      --
      "His name was James Damore."
    2. Re:Sign the hibernation file by 0123456 · · Score: 3, Insightful

      The point of secure boot is vendor lockin. The point of Linux is to not be locked to a vendor.

    3. Re:Sign the hibernation file by Anonymous Coward · · Score: 5, Insightful

      "DRM is to promote sales through reducing piracy "

            No, the point of DRM is to increase profits by removing a potential threat to sales. The point of secure boot is potentially lock hardware to the operating system. The chain of proof is just a selling tactic at best but irrelevant as there are a myriad of ways to compromise a system for those with the will to do so. It's more effective as a wedge to eventually control hardware manufacture. Remember this kind of behavior wouldn't be new for Microsoft.

  6. Fuck Secure Boot by Anonymous Coward · · Score: 5, Insightful

    It's my goddamn computer, my goddamn hardware, and it's MINE. I will run any fucking operating system I goddamn well please on it, and if Microsoft doesn't like that, they can FUCK THEMSELVES right in the GODDAMN EAR.

    1. Re:Fuck Secure Boot by UltraZelda64 · · Score: 5, Insightful

      Why the downmods? Yeah, maybe the AC was just trolling, but his overall point I actually agree with. If anything, it should've been modded +1 "Funny" for the "fuck themselves in the god damn ear" part.

    2. Re:Fuck Secure Boot by grcumb · · Score: 3, Funny

      It's my goddamn computer, my goddamn hardware, and it's MINE. I will run any fucking operating system I goddamn well please on it, and if Microsoft doesn't like that, they can FUCK THEMSELVES right in the GODDAMN EAR.

      Or you can just disable it...

      What, and miss the chance of seeing Ballmer fuck himself in the goddam ear?

      Shyeah....

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  7. Conceptually.. by Junta · · Score: 5, Interesting

    What distinguishes hibernated memory image from, say, an initrd? Practically speaking, a distro has to allow for initrds to boot that aren't signed by the distribution. In fact, what about booting *any* filesystem? Some may suggest that the goal would be to have every binary signed, but what about end-user maintained scripts and config files? SecureBoot as currently defined only about the OS provider signing what they provide and that leaves a whole lot of area for malicious content outside that scope. It's of little comfort that you have assurance that you are running the correct sshd if, for example, you have malicious ssh_config and malicious authorized_keys.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Conceptually.. by mjg59 · · Score: 5, Insightful

      The kernel can execute ring 0 instructions. Your initrd can't. The difference is that you could construct an appropriately modified hibernation image that booted an arbitrary kernel - or even an entirely separate OS. In that scenario, your kernel is effectively a new bootloader, except unlike the signed bootloaders it'll happily boot an entirely unsigned OS. That's unlikely to end well.

      But, conceptually, you're right. Secure Boot doesn't magically make a system secure, but it *is* a vital part of system security - if you can't trust your kernel, any other security you attempt to build is pretty much pointless.

  8. Re:To many X86 servers do not boot Windows by 0123456 · · Score: 4, Insightful

    To many X86 servers do not boot Windows for them to try to push that kind of lock down.

    Yeah, so? Your $1,000 server motherboard will still be able to run Linux. Doesn't help the rest of us.

    If you give Microsoft the power to control what software will and won't run, then they will use it, sooner or later. It's a fscking retarded idea.

  9. SecureBoot is a modern version of vendor lockin by Damouze · · Score: 3, Informative

    SecureBoot is nothing more than a modern kind of vendor lock-in, so why support it at all? Haven't the FSS and OSS communities by now gained enough leverage on their own to stimulate the development of software in the direction it should go, namely that essential software, like an OS, a BIOS or a piece of firmware, should be free (in the FSS sense) for use by anyone?

    By accepting and even supporting suspicious software and business models such as SecureBoot, aren't the FSS and OSS communities more or less digging their own graves because Microsoft - who admittedly has changed a lot for the better the last few years - owns the very keys their software relies on for proper functioning?

    --
    And on the Eighth Day, Man created God.
  10. Re:Why?? by lingon · · Score: 3, Insightful

    No, I think he's straight on. Secure boot stems from a broken threat model: that kernel access is extremely important. I know about userspace security, but the kernel already secures userspace without secure boot and proper privilege separation secures the kernel. Secure boot is a way of securing the system from root, which is futile (look at SELinux, for example).

    This is primarily a technology for vendor lock-in. Always has been, always will be.