No, really, secure boot does add security

[mjg59]

Carla Schroder wrote a piece for linux.com on secure boot, which gives a reasonable overview of the technology and some of the concerns. It unfortunately then encourages everyone to ignore those legitimate concerns by making the trivially false claim that secure boot is just security theatre.

Security isn't some magic binary state where you're either secure or insecure and you can know which. Right now I'd consider my web server secure. If someone finds an exploitable bug in Apache then that would obviously no longer be the case. I could make it more secure by ensuring that Apache runs in a sufficiently isolated chroot that there's no easy mechanism for anyone to break out, which would be fine up until there's also a kernel exploit that allows someone to escalate their privileges enough to change their process root. So it's entirely possible that someone could right now be breaking into my system through bugs I don't even know exist. Am I secure? I don't know. Does that mean I should just disable all security functionality and have an open root shell bound to a well known port? No. Obviously.

Secure boot depends on the correctness of the implementation and the security of the signing key. If the implementation is flawed or if control of the signing key is lost then it stops providing security, and understanding that is important in order to decide how much trust you place in the technology. But much the same is true of any security technique. Kernel flaws make it possible for an unprivileged user to run with arbitrary privileges. Is user/admin separation security theatre? SSL certificate authorities have leaked keys. Is it security theatre for your bank to insist that you use SSL when logging in?

Secure boot doesn't instantly turn an insecure system into a secure one. It's one more technology that makes it more difficult for attackers to take control of your system. It will be broken and it will be fixed, just like almost any other security. If it's security theatre, so is your doorlock.

Why is this important? Because if you tell anyone that understands the technology that secure boot adds no security, they'll just assume that you're equally uninformed about everything else you're saying. It's a perfect excuse for them to just ignore discussion of market restrictions and user freedoms. We don't get anywhere by arguing against reality. Facts are important.

Comments

[(Anonymous)]

While it might not make sense to say secure boot adds no security, it seems perfectly reasonable to say that secure boot adds very little security in exchange for a significant inconvenience and an architecture that enshrines a gatekeeper.

[mjg59]

What's the basis for the assertion that it adds very little security?

It's very limited in scope

[(Anonymous)]

As near as I can tell, secure boot is limited to making sure your kernel hasn't been tampered with.

I know boot sector viruses were common back in the 80s when everybody had to stick floppy disks in drives that happened also to be the default boot device, but is this really a problem nowadays?

So it seems to be addressing a threat that doesn't actually exist.

Re: It's very limited in scope

[mjg59]

Yes, they're really a problem nowadays.

Re: It's very limited in scope

[(Anonymous)]

Ever heard of a MBR rootkit son?

MBR rootkits are barely on the radar in industry

[(Anonymous)]

Sure, I've heard of MBR rootkits, and they are at the very bottom of the threat list.

In a high value target system, you've already been completely owned before the attacker can even think about installing anything into the MBR. Boot attacks are like slicing the upholstery in a car you've already stolen.

For individuals, sure, boot attacks (especially in systems running windows) are an issue. For a bank? Not really, food poisoning in the cafeteria is a bigger threat.

assumption of innocence

[(Anonymous)]

I'll readily admit that I have only a cursory knowledge about the inner workings of secure boot, but from my reading there is no mechanism for any OS to assert that it has booted securely. The only informative mechanism is an in-memory flag that can be trivially provided by a subversive boot element.

When I read the title of your post, I was hoping that you would clarify the method with which an OS can assert its secure-boot status, because as I see it, secure boot is mere sophistry: you start from a presumed-secure base, then erect big and inconvenient obstacles to try and maintain that assumption.

But how does the OS prove the base was secure to begin with?

Re: assumption of innocence

[(Anonymous)]

"When I read the title of your post, I was hoping that you would clarify the method with which an OS can assert its secure-boot status, because as I see it, secure boot is mere sophistry: you start from a presumed-secure base, then erect big and inconvenient obstacles to try and maintain that assumption."

Secure firmware is flashed at the factory and can only be re-flashed with signed updates. Obviously if the firmware is compromised it can just lie to the OS and say that the boot is secure when in fact is not.

Re: assumption of innocence

[(Anonymous)]

Does the secure boot specification contain a (mandatory) hardware failsafe that prevents an unsigned firmware from being written by a compromised OS?

Re: assumption of innocence

[mjg59]

The spec doesn't, but all implementations do.

Re: assumption of innocence

[(Anonymous)]

Thanks, that's good to know

Re: assumption of innocence

[mjg59]

There's no way for the OS to prove the base was secure, just as there's no way for the OS to prove that the PAM stack hasn't been replaced. All security involves placing some degree of trust in the underlying components.

Re: assumption of innocence

[(Anonymous)]

But that's not really true, as there is debsums and/or rpm -V. You don't need to trust the underlying components as long as you can observe them independently.

In the case of secure boot, that independent observation can't come from the machine itself, because by definition it cannot be trusted. But I wonder if LOM techniques combined with corporate network management wouldn't be able to provide verifiable security?

Re: assumption of innocence

[mjg59]

How do you trust debsums or rpm if you can't trust that the kernel is accurately reporting the filesystem contents?

Re: assumption of innocence

[(Anonymous)]

My response wasn't about the kernel issue, I was referring to your assertion that there is "no way for the OS to prove that the PAM stack hasn't been replaced".

But there is, since the OS can execute processes in parallel with the PAM stack (e.g. init, sulogin) which can independently observe it.

Re: assumption of innocence

[mjg59]

Of course, once someone's replaced the PAM stack, they've also had the ability to modify everything that could validate it.

Only a small hurdle

[(Anonymous)]

What's the basis for saying that it adds very little security?

Boot-level malware authors already have several hurdles to clear; typically involving luring you into doing something dangerous in the first place (say, getting you to click on a pdf), finding probably several 0-day or commonly unpatched exploits (say, to make their way from the PDF you clicked into Acrobat, and then from Acrobat into the operating system), and so on. What Secure Boot does is add one more hurdle.

The question is, how big is this hurdle, and how much will it reduce the effectiveness / increase the cost to the malware authors?

If x86 were like ARM, where MS is not going to sign anyone else's binaries, then I'd say it certainly will make things much more secure. In that case, the only way to install a bootsector rootkit would be to get MS's signing key, which is presumably going to be very difficult.

However, with MS offering to sign developer's binaries, the whole thing goes out the window. Suppose that someone (either a lone hobbyist or a group of smaller distros working together) sign an extlinux binary that allows you to boot arbitrary kernel. Now all the malware author has to do, after breaking through Adobe and into the running kernel, is put that signed extlinux binary in and configure it to boot his malware. Or, suppose that a number of anti-virus vendors have signed bootloaders on their CDs, so you can boot and "securely" clean your system. If any of these are not perfectly secure, he can use one of these. In the worst case, he can use one of the identities he's stolen in a previous heist (or purchased on the black market) to create a Verisign account to sign his own binary.

Maybe all of these attacks are actually infeasable; if so, you need to make a case for that.

But assuming they are feasible: Is that an extra hurdle? Sure. But it's a really small one compared to all the others. If the other hurdles didn't deter or prevent the malware author, why would this one do so? It probably wouldn't extend the cost to make a boot-sector rootkit more than a day at most.

To make an analogy: Suppose that you are filthy rich and own a gigantic diamond. (Or you're an evil scientist and you're keeping the secret of your power.) When not on display / in use, it's in your vault in the 5th level underground, with alarms and massive doors and lasers and floor pressure sensors and everything. But you think the guy from Mission Impossible is planning on stealing it. So you ask your security expert, and he suggests that in addition to all that, you put your treasure in a small safe. What would you think of that? Technically, it does add security, because it does add one more hurdle to the secret agent breaking in. But practically, it's not even worth thinking about, because if he's already gotten through the vault door, the lasers, and the pressure sensitive floor, the small safe is going to be a cakewalk.

That's what it seems like the current x86 implementation of SecureBoot is: a very small additional hurdle to a determined attacker who has already cleared several hurdles much more difficult. And one which does so at a terrible cost to the freedom of users.