Torvalds Opposes Tying UEFI Secure Boot to Kernel Lockdown Mode

An anonymous reader quotes Phoronix: The kernel lockdown feature further restricts access to the kernel by user-space with what can be accessed or modified... Pairing that with UEFI SecureBoot unconditionally is meeting some resistance by Linus Torvalds. The goal of kernel lockdown, which Linus Torvalds doesn't have a problem with at all, comes down to "prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorised modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still permitting driver modules to be loaded." But what has the Linux kernel creator upset with are developers trying to pair this unconditionally with UEFI SecureBoot. Linus describes Secure Boot as being "pushed in your face by people with an agenda." But his real problem is that Secure Boot would then imply Kernel Lockdown mode... "Tying these things magically together IS A BAD IDEA."

Essentially

[110010001000]

Essentially what the corporations want is for people to only user the Internet via locked down ("approved" or "secure" devices). These devices will only have cloud based storage available and everything will be streamed from servers and the consumer will only need to pay a monthly fee for all this goodness. If you don't think this will happen, think of the children, or the terrorists, or the terrorist children, or security, or whatever the problem is this week.

Re: Essentially

Racism, too. And to prevent the wrong candidate from winning an election.

Re:Essentially

[epyT-R]

Not just corporations. Your friendly local 'globalhood' government wants it too.

Re: Essentially

[peppepz]

UEFI secure boot and Microsoft-mandated secure boot are two different things.
Microsoft took the secure boot specification, which is neutral, and added their own requirements, which aren't. They mandated themselves to have literally as much power as possible, while at the same time leaving to the user as little power to take back ownership of their own machine as it was possible without the world accusing them of taking over the PC market.

Re:Essentially

[Jane+Q.+Public]

It's only "great" if you use that company's EFI support for that particular operating system.

Otherwise, it's a major pain in the ass, and can even block you form installing the OS you may want to use.

Microsoft has been the biggest pusher of this scheme, because it did not want people to be able to dual-boot. They called it a "security" measure, but in fact my system is a hell of a lot more secure if I install MacOS and run Windows in a "bootcamp" or VM.

It's ALL ABOUT corporate lock-in, and not about security at all. Just as HDMI was/is.

Re:Essentially

[rtkluttz]

Malware. Any system that treats the owner of the device as the problem is malware. I'm all for secure boot as long as the owner of the device decides what to tag as secure and has complete control over the encryption and lockdowns.

Re:Essentially

[stooo]

Here's the basic explanation :
https://lkml.org/lkml/2018/4/3...

Re:Please don't hurt me.

[guruevi]

That's not what the argument is about. UEFI SecureBoot has its place and reasons although an open implementation would be much better, Linux Kernel Lockdown has its place and reasons. Requiring one to enable the other is a problem or declaring that your system is broken without both enabled is a problem.

Re: Please don't hurt me.

[Monster_user]

"This discussion is over until you give an actual honest-to-goodness reason for why you tied the two features together. No more "Why not?" crap." -Torvalds

Linux is a distribution by users, for users. So the individuals you are locking down are the developers and future developers of the operating system.

"Keeping the bad guys out" is a nanny state problem for for-cost operating systems. You can tie secure boot and kernel lockdowns together if you want to outsource your I.T. to a third party or for-cost developer.

The rest of us what to know what the difference is between what secure boot protect, and what kernel lockdowns protect. As well as to be able to enjoy our hobby without having to get a degree in cyber security to sign a kernel every time we want to try out a new OS or distribution.

Re: Thanks for the summary

[Monster_user]

Kernel Lockdown protects the kernel.

Secure Boot protects against malware and malicious hardware, as well as teenagers with Linux on USB thumb drives bypassing security altogether.

Together they are supposed to make it impossible to bypass or break the core things, which is supposed to make a computer more secure.

Of course adding security breaks things. Such as open source drivers for hardware for which drivers do not exist. Which means that those needing exemptions to the security will lose both, not just one or the other. Reducing security overall.

Re: Please don't hurt me.

[fibonacci8]

Thus it eliminates a false sense of security.

I suspect you meant emanates there, mostly because I've just reread one of Bruce Schneier's essays.

Nice straw man

uefi secure boot won't "keep the bad people out" either. In fact, uefi secure boot is a vehicle to take control away from you-the-computer-owner, and as such is the vehicle of bad people looking out for themselves using your hardware.

Thanks, but you're mistaken about both

[raymorris]

First, kernel lockdown in no way restricts which drivers you might have running. If you want to *change* which drivers you have running without rebooting, you'll need to *sign* the new module. Absolutely nothing prevents you from signing an open-source module. The command is:

scripts/sign-file sha512 kernel-signkey.priv kernel-signkey.x509 module.ko
(Or just set check the box to sign all modules in make menuconfig).

Sign-file signatures work for both secure boot and the kernel restriction. For the kernel, the first time you ever sign a module you enroll your public key with keyctl.

Re: Thanks for the summary

[Junta]

Secure Boot protects against malware and malicious hardware, as well as teenagers with Linux on USB thumb drives bypassing security altogether.

Actually, it does none of that. This is one of my peeves with secureboot, it is annoying *and* largely ineffectual.

On malware, yes, it would protect against a certain class of malware: boot sector virus. But then again, a subset. Sure you can't be a kernel, and that does hypothetically give the OS creators a foundation to have some layer that is intact. What if your malware is a patched gdm, sshd, pam, or agetty? Yeah, those would be fine. Windows still has plenty of malware despite being 'Secureboot'. What about replacing /etc/shadow in linux or the SAM db in Windows? Sure, that is also fair game, go ahead and insert your backdoor account with admin privilege.

On malicious hardware, it doesn't do anything, though related technologies can cause UEFI drivers to not execute if not signed. The OS asks the platform if it is secureboot enabled and takes the answer at face value (there's no secure mechanism to vlaidate that the platform isn't lying to you).

As far as Linux or Windows PE on USB thumb drives, again it doesn nothing. A windows or linux install disk can also be a 'rescue' disk. For that matter, secureboot covers neither the initramfs nor the wim file, so make your own privileged install media, it's all good as far as secureboot is concerned. You don't need a custom kernel to make a boot disk.

With that, what are the protections against the general class of replacement hardware/boot configuration/boot media?

Well, the weakest is a BIOS/UEFI/bootloader passwords, which in theory mitigates the chances someone can select their bootable media. In BIOS systems, it is common for USB disk to boot preferentially, so this might not pan out. The typical UEFI boot setup on the otherhand is a bit more specific by usually having a single boot item and that boot item being the machine specific boot partiion GUID and file. However even then I suspect you could probably discern the boot volume guid as non-admin user, and I don't know what UEFI will do if you have removable media with the same GUID as the boot volume. Also, none of this does a damn thing if the attacker could remove the boot media and mess with it offline.

So now we have SED/BitLocker/dm-crypt soultions, which are more hardened. However, by themselves these make automatic reboots impossible, and are thus highly annoying. For another, the keyphrase prompt can be emulated and phished if an attacker has two cracks at your system (one to install a fake prompt using a valid kernel, another to go and glean the captured secret.

At last we come to the most relevant security approach: Trusted Boot. Here you use SED/BitLocker/dm-crypt as above, but rather than prompting for password, you seal the key to TPM PCRs. This allows the system to boot and unlock automatically, but only if the user didn't do anything different (like boot form a different device, or enter f1 setup, or replaced the motherboard). Again at least one potential hole is whether you can spoof a GUID to trick the platform to boot with the same PCR state. another limitation is that generally you have a backup password, and a user could assume if they see the prompt, something innocuous went wrong rather than malicious (e.g. I had a device that went in for warranty repair, and the PCR state was lost forever and so I had to take it on faith the repair center nor the mail system did anything to phish the recovery prompt).

Re: Please don't hurt me.

[sjames]

That is an argument for having the ABILITY to use secure boot with a locked down kernel (Linus is fine with that). It is not an argument for why the kernel MUST be locked down if you use secure boot. The latter is what others are arguing for without providing Linus a good reason.

While installing / compiling a new kernel

[raymorris]

The key only needs to be available while installing a new kernel (not all the time), and only on one system in your organization.

Without the protection:
At any time, any system on your network can have kernel-level code changed, from userspace.

With the protection:
Before you deploy a new kernel across your network, plug your USB stick with key into your build system in order to allow dkms to build and sign the module. Then unplug the stick so that your kernel can't be changed without you doing it.

It gives you control of when and where your kernel can be changed, by dkms or any other program.

Re: Please don't hurt me.

[WaffleMonster]

Nanny state to ensure your HIPPA and PCI and SOX compliant servers at work do not have rootkits?

If a system is rooted once a computer is booted then a few things MUST be true:

1. You've already epically failed. It's game over right there and then. Talk about what happens next is mightily irrelevant.
2. See 1.
3. See 1.
4. Unless vulnerability is found and fixed secure boot won't do shit to prevent the rootkit from being re-loaded upon next boot the same way it was loaded initially.

I very much fail to see the point here. The only conclusion I could draw that would make any sense is when you get owned you can get away with tempting fate and not have to completely rollback system / rebuild all of your shit otherwise secure boot seems to be an exceedingly pointless waste of time.

There is a much easier and much more secure way to handle this that does not require any cryptographic bullshit. Deny capability to modify OS image via hardware latch and don't allow any hardware to incorporate persistent storage that can be modified in the field.

The real reason for secure boot isn't security. It's exclusively about locking out users in order to dictate terms.

IT departments require UEFI secureboot with custom add in keys for their servers which Redhat and FreeBSD support I may add is to make sure you keep your job.

Box checking jobs sure do pay well regardless of predictably feckless results.

Re: Thanks for the summary

[Junta]

How would they get a kernel-level virus onto the boot sector/partition? If a user has some method that would let them modify the boot volume, they have a way to modify passwd/shadow/SAM. Either the enduser runs something as admin (which admittedly full disk encryption would do nothing to stop) or an offline attack is required with or without secureboot (which full disk encryption can stop).

My point is it only works against a subset of boot sector virus: ones that run a modified kernel or stage before the kernel. Malware can do plenty in userspace, and in many cases it's impossible for a generic subsytem to tell whether a userspace customization is authentic or malicious.

Contrast this with disk encryption sealed to TPMs. This would ideally be modified such that there is a PCR mutated by fingerprints of efi executables. This would enable a shim.efi to do unsealing and have that particular OS vendor's chain of trust rooted without the firmware having to manage central keys and also providing meaningful protection against offline attacks.

The other problem I have is that SecureBoot, practically speaking, makes MS the gatekeeper to the PC platform. You want to boot your OS on user systems, go talk to Microsoft. This has two effects:
1) Gives MS too much control and a nice anti-competitive lever to use if they wanted.
2) To do this without being perceived as anti-competitive and given resources, they probably have had to sign more than they should. This means there is likely some vulnerable stack that is signed floating about. In theory MS could revoke keys, but I don't think they ever have for one, and for another the chances that a user gets an update with an updated revocation database is far from guaranteed.

I would have much preferred a spec that had the install media do a vendor-specific key install, and a mandatory baked in option to remove the key and revocation db. This would have given much more fine grained control for verification of vendor provided assets. At the end of the day though, full disk encryption is a mandatory part of your strategy if you really want to protect from offline attacks.