[personal profile] mjg59
One of the benefits of the Shim approach of bridging trust between the Microsoft key and our own keys is that we can define whatever trust policy we want. Some of the feedback we've received has indicated that people really do want the ability to disable signature validation without having to go through the firmware. The problem is in ensuring that this can't be done either accidentally or via trivial social engineering.

We've come up with one possible solution for this. A tool run at the OS level generates a random password and hashes it. This hash is appended to the desired secure boot state and stored in an EFI variable. On reboot, Shim notices that this variable is set and drops to a menu. The user then selects "Change signature enforcement" and types the same password again. The system is then rebooted and Shim now skips the signature validation.

This approach avoids automated attacks - if malware sets this variable, the user will have no idea which password is required. Any social engineering attack would involve a roughly equivalent number of steps to disabling Secure Boot in the firmware UI, so it's not really any more attractive than just doing that. We're fairly confident that this meets everyone's expectations of security, but also guarantees that people who want to run arbitrary kernels and bootloaders can do so.

How do they know the password

Date: 2012-10-17 10:27 pm (UTC)
From: [identity profile] smoogespace.blogspot.com
Where does the user know what the password is since it is a random generated and hashed value. I guess there are some steps I am missing.

Re: How do they know the password

Date: 2012-10-17 10:37 pm (UTC)
From: (Anonymous)
"To disable Secure Boot signature validation, please type the following string when prompted to at boot time: fKrl0pt15KCS"

Re: How do they know the password

Date: 2012-10-17 10:53 pm (UTC)
From: [identity profile] smoogespace.blogspot.com
Thanks. That wasn't clear how this was shown to the user.

Re: How do they know the password

Date: 2012-10-18 01:27 am (UTC)
From: [identity profile] ff426444-2eac-4286-8f78-f088e98a036e [openid.stackexchange.com]
Why wouldn't malware impersonate this user-space tool, generate a hash of its design, and print something like "At next reboot, type YES to continue."

Re: How do they know the password

Date: 2012-10-18 01:49 am (UTC)
mm_writes: Sheep go to heaven, goats go to hell (Default)
From: [personal profile] mm_writes
Always my first thought and why I have trouble taking this topic seriously. Until you can iron out every wrinkle here, what is the point.

Re: How do they know the password

Date: 2012-10-18 12:00 pm (UTC)
From: (Anonymous)
Enforcing a minimum password length (or even a complexity, e.g. requiring a digit) within a shim would make this kind of attacks more difficult.

At the very least, a zero-length password should definitely be prohibited.

Re: How do they know the password

Date: 2012-10-18 05:32 pm (UTC)
From: (Anonymous)
One way to enforce ugliness of passwords would be to require that the password be a hash of some information provided to the firmware by the userland program, so the userland program can only choose a password if it can reverse the hash. OTOH, that might require rather long passwords and does rather conflict with sending the password to the firmware as a hash.

Date: 2012-10-18 01:52 am (UTC)
mm_writes: Sheep go to heaven, goats go to hell (Default)
From: [personal profile] mm_writes
One of the benefits of the Shim approach of bridging trust between the Microsoft key and our own keys is that we can define whatever trust policy we want.

If you can define any trust policy you want, then so can anyone, including your local (or remote, be it as it may) malware author. Explain how the Shim approach benefits the end user if this is the case?

Date: 2012-10-18 08:24 am (UTC)
simont: (Default)
From: [personal profile] simont
Is this not the sort of policy liable to cause whatever upstream authority is signing Shim itself to decide it isn't the sort of thing they're comfortable certifying as safe?

(Or is it simply a laughable idea that a signature on a bootloader certifies anything other than that somebody with halfway plausible credentials gave a lot of money to the signing authority?)

Anonymity

Date: 2012-10-20 11:01 am (UTC)
From: (Anonymous)
One thing malware authors badly need and work really hard to achieve is anonymity.

"Hi Microsoft! Sell me a Secure Boot certificate but please also make sure you will never be able to find me again."

Impossible? No. Very difficult? Yes, likely to be. Less malware (in numbers) is more security.

Date: 2012-10-18 03:21 pm (UTC)
From: (Anonymous)
If users want to run their own kernels then just ask users to disable secure boot in the firmware, because this approach to disabling signature validation will just complicate things.

And why do we need to "trust" Microsoft in order to compete with them. That's like Apple having to "trust" Microsoft just to create the iPhone 6.

Date: 2012-10-18 06:02 pm (UTC)
From: (Anonymous)
Can I still disable signature validation by disabling secure boot?

Apple keyboards?

Date: 2012-10-19 03:25 am (UTC)
From: (Anonymous)
http://arstechnica.com/apple/2009/08/exploit-allows-for-keyboard-ownage-through-firmware/ could be used to automate an attack against Shim. It is not difficult to fix at minor inconvenience to the user.

Approach eases social engineering attacks

Date: 2012-10-19 02:58 pm (UTC)
From: (Anonymous)
Any social engineering attack would involve a roughly equivalent number of steps to disabling Secure Boot in the firmware UI, so it's not really any more attractive than just doing that.

I thought firmware UIs are so diverse that it is unreasonable/impossible to guide users to the secure boot options. Luckily, this makes it very hard to attack masses of users with single social engineering attacks.

Now the Shim provides a uniform mechanism that can be exploited by a single social engineering attack? ("There is a problem with the signature validation process of your computer. To fix this problem, please reboot and enter 09sifd5b when asked for a password." CLICK-HERE-TO-REBOOT)

Am I something wrong? For me it looks like you're increasing the attractiveness for these kinds of attacks a lot.

Re: Approach eases social engineering attacks

Date: 2012-10-19 03:49 pm (UTC)
From: (Anonymous)
I think he is. The shim should just boot into grub, and have a configuration file to see if the user wants to enable secure boot signature signing ot not

Re: Approach eases social engineering attacks

Date: 2012-10-19 03:49 pm (UTC)
From: (Anonymous)
I meant or not ot

Re: Approach eases social engineering attacks

Date: 2012-10-20 01:09 pm (UTC)
From: (Anonymous)
"I thought firmware UIs are so diverse that it is unreasonable/impossible to guide users to the secure boot options."

While I'm impressed by Matthew's work, I never understood this (fundamental!) argument of his.

1. There are NOT that many BIOS vendors and there are NOT that many different BIOS interfaces.
2. People need to mess with their BIOS ANYWAY to boot from a CD or USB stick!



PS: I know and like and use GRUB4DOS but it's much less newbie friendly than all the above.

Re: Approach eases social engineering attacks

Date: 2012-10-21 09:41 pm (UTC)
From: (Anonymous)
"It's different for pretty much every laptop vendor, and often within different ranges from the same vendor."

Not my experience. Maybe I don't see the subtle differences any more. Or I've just been lucky.


"there's a separate interface for choosing a one-off boot device"

Only on not too old PCs but you're right it really makes things easier. It's still not the pinnacle of user friendliness though.

"..., and entirely untrue with UEFI."

Sorry if I missed one of your previous blog but... what are you referring to here? I've installed Linux on a number of (non-secure) EFI laptops already and it was not any different from any pre-EFI laptop. What did I miss?

(In fact, for most of these laptops it was actually hard to notice they were using EFI at all)

Re: Approach eases social engineering attacks

Date: 2012-10-23 11:29 pm (UTC)
From: (Anonymous)
Why do Windows 8 PCs not initialize the keyboard before boot? How would anyone go into the firmware to disable secure boot or set the system clock?

Re: Approach eases social engineering attacks

Date: 2012-10-24 05:31 pm (UTC)
From: (Anonymous)
How would I enter the firmware menu from Linux?

Re: Approach eases social engineering attacks

Date: 2012-10-24 06:21 pm (UTC)
From: (Anonymous)
How would I set that flag?

Date: 2012-10-28 10:37 pm (UTC)
From: (Anonymous)
Any status of Secure boot lately after Windows 8 got released?

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Nebula. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags