The security of Secure Boot

[mjg59]

The other complaint about UEFI Secure Boot is that it doesn't add any security. There's two aspects to this - people either think it'll be quickly broken, or people think that the public availability of signing services will render it useless.

Will Secure Boot be broken?

Almost certainly, yes. I'd put a significant amount of money on it. The most obvious avenue of attack is probably a malformed FAT on a USB stick, or alternatively a programmable USB device that can trigger undesired behaviour in the USB stack. If you're really lucky then you might be able to corrupt the filesystem on the EFI system partition in such a way that this happens on every boot, even if there's no USB hardware connected. It's possible that there'll be a bug in the binary validation process and a cleverly designed binary may be able to validate even though it contains unsigned code. Various vendors will probably manage to produce signed option ROMs that rely on unsigned data in such a way that they can be forced to misbehave. But most of these attacks will either involve physical access or depend on the target machine having a specific piece of hardware installed, and I'd also put money on each of them being quickly fixed once they're found. And, eventually, people will run out of new attacks.

People desperately want to believe that the Secure Boot implementation is fundamentally broken, and that's just not true. It's based on well-tested encryption technology. You calculate a SHA256 of the binary you want to sign. You encrypt that hash with the private half of a 2048-bit RSA key. You embed the encrypted hash in the binary. When someone tries to run the binary you decrypt the hash with the public key in your firmware. You then calculate the hash of the binary and compare the two. If they match then you know that (a) whoever signed the binary had access to the private half of a key you trust, and (b) the binary hasn't been modified since then.

The difference between Secure Boot and things like CSS or WEP is that Secure Boot uses existing cryptographic techniques and has been designed by people who actually understand how they work. Precisely the same technology is used in Microsoft's driver signing, and people decided it was easier to steal a key from Realtek than it was to break the underlying technology. Unless there's a crippling bug in the implementation that nobody's noticed yet, the only real way to attack this is to either force a SHA256 collision (achievable with current technology, as long as you're willing to spend many orders of magnitude more time than the universe has existed) or break RSA (which would also mean that SSL is broken). If anyone can do either of these things then we are so unbelievably fucked that Secure Boot should not be the thing you're most worried about.

So, in summary: Yes, Secure Boot will be broken. And then it will be fixed. And after this happens a few times, there will be no further breaks.

Everyone can sign, so what's the point

Anyone can pay $99 and get their binaries signed. So why won't malware authors just do that? For starters, you'll need to provide some form of plausible ID for Verisign to authenticate you and hand over access. So, sure, you provide some sort of fake ID. That's the kind of thing that tends to irritate local authorities - not only are you talking about breaking into a bunch of computers, you're talking about committing the sort of crime that results in genuinely bad things happening to you if you get caught. And secondly, the only way you get access to the system is using some physical smartcards that Verisign send you. So you've also had to hand over an actual physical address, and even if you've used some sort of redirection service that's still going to make it easier to track you down. You're taking some fairly significant real-world risks.

But ok, you're willing to do that and you obtain a signing key and you sign some malware. You'll infect some number of machines. But eventually you'll be noticed, and then Microsoft produce a key revocation blob and vendors push it out via their OS update mechanisms. If your malware was basically harmless then that's probably the end of it, but if you were using it as the basis for an attack on people's banking details then a lot of people are suddenly going to be very interested in the person who bought that key, and also your malware isn't going to be able to infect any more machines.

To put this in perspective - Windows is the dominant desktop operating system. If you want to run a botnet or steal people's bank details then Windows is the obvious thing to attack. Windows security has now improved to the point where it's not massively straightforward to do that from userspace, so the logical thing to do would be to run your malware in the kernel. The easiest way to do that would be to load a driver, but Windows won't load unsigned drivers. So you'd need a signed driver. How do you get one? With the same $99 access to the Microsoft signing service that you'd use for signing an EFI binary.

Anyone could already use the signing service to attack Windows. But people haven't. The Stuxnet authors thought it was easier to steal a key from a real hardware vendor than it was to buy their own key. So, yes, in theory an attacker could obtain signing services. But the real world evidence suggests that that's not how they behave.

Summary

Secure Boot is unlikely to be broken via fundamental flaws in its implementation, and there's no evidence that public availability of the signing service will result in an explosion of boot level malware.

Comments

[(Anonymous)]

If there is a public signing service out there, there will be a lot of signed keys. A lot of opportunity for keys to be stolen.

Also, how much would it suck to own hardware that has its keys revoked and a hardware vendor that it unresponsive to getting you updated firmware?

- Russ

[mjg59]

There's a lot of signed Windows driver keys out there, and only a handful of cases of them being stolen. The Secure Boot scenario is actually different - you never get your key, it's stored by Microsoft. You upload the binary and the signed one comes back. So if someone steals your smartcards and gets access to the signing server as you, the audit trail means that only the subverted binaries need to be blacklisted. The key would probably be retired and replaced, but no reason to blacklist the signatures that are attached to the existing hardware.

UEFI

[(Anonymous)]

UEFI will be broken first. UEFI is basically an OS in its own right and has more lines of code than the Linux kernel, there's bound to be bugs to exploit.

Re: UEFI

[mjg59]

The only way to get at bugs is to run code. Secure Boot means that the amount of code exposed to untrusted applications is strongly limited. So, yes, there will be bugs to exploit, and they'll be exploited. And then they'll be fixed, and eventually there will be no more bugs to exploit.

Re: UEFI

[(Anonymous)]

"eventually there will be no more bugs" ...

Who are you, and what have you done to the real Mjg59?

[(Anonymous)]

And when SHA-256 get's broken what happens? The best public cryptanalysis had 41 of 64 rounds in SHA-256 figured out 4 years ago. Where do we think the NSA has got with that? We already know they have unpublished attacks against MD5 that are better than anything else out there thanks to Flame.

Secure Boot is going to do exactly nothing to stop the NSA. They can just ask Verisign for signed binaries using the key of unsuspecting Asian manufacturer. In fact, if I was a non-US organisation I'd consider Secure Boot a massive threat for exactly this sort of reason. Suddenly all my trust infrastructure is based on trusting the Verisign and the US government not to screw me? No thanks.

[(Anonymous)]

Is this signing portal using two factor auth then? I guess if your $99 buys you an RSA key fob that would help a lot. But then there's that whole thing where RSA had all the seeds stolen so perhaps even that isn't secure now...

Quickly Fixed? I don't think so.

[(Anonymous)]

You said, "....quickly fixed once they're found"

I don't think they will be quickly fixed. Unlike the game consoles, motherboard vender don't have any real reason to keep it "secure". They do this only because this is a Microsoft requirement. Unless MS is going to break every vendor with unfixed bug, nobody will go to fix this.

[(Anonymous)]

Well you are all missing a point a "broken secure boot" is basically what we have now.
i.e you can run any software.

[(Anonymous)]

A broken system is worse than no system.

What happens if Microsoft's keys are stolen?

[(Anonymous)]

I wonder what can happen in such scenario.
I mean, suppose that Microsoft's keys are stolen and used to sign malware, Microsoft will revoke that keys and provides to HW vendors the updated keys, but probably not all of them will provide a firmware update with the keys, or maybe the user doesn't know what the heck is a "firmware update" and how to do it (in fact, some HW vendors doesn't responsible about firmware updates).

In that case, will the user be locked down with a computer that can't boot even the OS that was shipped with?

What am I missing here?

[mjg59]

There's a physical smartcard that contains an authentication certificate. You don't get access to the signing service without it.

Re: What happens if Microsoft's keys are stolen?

[mjg59]

You won't need new keys in that scenario. The binaries are signed with a key that's chained back to the trusted key. If the signing key somehow leaks (and really that is not a terribly likely thing to happen) then that key can be invalidated and a new signing key produced that chains back to the same trusted key. Binaries signed with the new key will continue to be trusted by existing firmware.

[(Anonymous)]

Then, after a short period of vulnerability where the extremely rich can get past secure boot, everybody will migrate to SHA-512. The implementation already supports multiple hash methods and secure updates; this won't remain a problem for very long at all.

Depends on Microsoft

[(Anonymous)]

I mostly agree with the first part, maybe I just have a not so good opinion of firmware anyway and UEFI is in the firmware world very very complicated. I have seen the phrase "code to specification" a couple of times, but in the real world cheaply trained monkey teams will push their code through shortly after "it works".

The second part depends on Microsoft actions. It is hard to say whether you are right or wrong, it depends on what Microsoft will do. And I find the part where you reason about why the signing service was not used for attacks a bit funny, because the was never a reason to go to such extremes as far as I know.

[(Anonymous)]

No offence dude but seriously, just leave and go work for Microsoft. It is clear that you are paid by them already. I wish we could vote you off this project.

Policy for handing out keys to foreign and domestic agencies.

[(Anonymous)]

I assume MS will happily and quietly hand out keys to government agencies, that would like to boot "slightly" modified versions of popular OS's for a variety of "legitimate" reasons.

Re: Policy for handing out keys to foreign and domestic agencies.

[mjg59]

You'd think that they'd have just done that for Stuxnet and Flame. But users who are concerned about that can just delete the Microsoft key from their system and do self-signing.

UEFI, Microsoft, and Paranoia

[(Anonymous)]

I don't believe a UEFI secure boot proposal is a bad thing for the community, at least on the face of it so to speak. I agree with some previous discussions I have read the past couple of days, that it has to be as "painless" as possible for the "average Joe/Jane" user. Also, for those who don't want it, just don't enable it! I really don't see the problem there.

As for Microsoft, they are a very large corporation, who commands the PC user OS market. The hardware vendors cater to MS since they are the predominant OS used by most. Not to mention all of their other offerings, in the user SW area. OK nothing new said there. What I would like to say about MS is more about this community than them anyway, and that is... It is good to have a healthy paranoia towards MS motives and dealings with us. Although I don't see secure boot as any form of compromise in the FOSS community, I do see it as a potential step in a direction that may limit our freedom of choice. So keep questioning what this means to us in the open source community, and be on your guard for the inevitable caveat that MS will throw at us (think IBM and OS/2 days). MS after all has to produce profits for their investors, likely has a MANY year plan of where they want to be in the market, no doubt has a strategy for dealing with the open source community, and likely its desired demise. It is important to remember that the word "free" is a four letter word in the business community.

[mjg59]

Being paid by them would actually be a violation of my immigration status, but thanks for the thought.

[(Anonymous)]

As a not USA user would you trust Verisign?

What happens when other signing companies complain about Verisign having a monopoly on signing secure boot? And demand that their CA's public key be included?

Revocation

[(Anonymous)]

How many revoked keys are implementations required to handle? Unless that's a fairly big number, the revocation can be effectively DoS'd.

T/F? A nasty piece of software could brick the computer by revoking the Microsoft key.

[mjg59]

I don't know. Who Microsoft contract with is presumably Microsoft's business.

Re: Revocation

[mjg59]

A fairly large number. Implementations are required to have at least 32K of blacklist store.

The only way any software could revoke the Microsoft key would be to have Microsoft's private key.

OS update mechanisms

[http://pointless.net/openid/jasper/]

Whats going to happen on the Linux side of things with the EFI update mechanisms?

How do linux users get the blacklist of signatures and updated firmware? Is this managed centrally via Microsoft and there is some mechanism for distros to get the updates so they can package and distribute them?