Announcement

Collapse
No announcement yet.

Defeating Secure Boot With Linux Kexec

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Defeating Secure Boot With Linux Kexec

    Phoronix: Defeating Secure Boot With Linux Kexec

    Matthew Garrett has written an insightful blog post about security issues pertaining to the Linux kernel's kexec functionality that could defeat any security benefits provided by Secure Boot. Using kexec could even allow you to boot a Windows kernel...

    http://www.phoronix.com/vr.php?view=MTUzNDk

  • #2
    Disable kexec?

    Is there any way to disable kexec?

    Comment


    • #3
      Originally posted by uid313 View Post
      Is there any way to disable kexec?
      Read the blogpost, very last section of it says:

      And that's the story of why kexec is disabled on Fedora when Secure Boot is enabled.

      Comment


      • #4
        These news made my day

        Comment


        • #5
          Originally posted by nomadewolf View Post
          These news made my day
          I'm not sure why. It just means that any kernel booting into Secure Mode has to have kexec disabled.

          Comment


          • #6
            Originally posted by uid313 View Post
            Is there any way to disable kexec?
            Yes and no.

            You can disable kexec when you build the kernel. However you can then
            build kexec in a kernel module (this is hacky but works, it's used on
            Android phones to boot a custom kernel even with locked bootloader).

            Of course you can disable kernel modules altogether but that would
            be very limiting for the system.

            Comment


            • #7
              Originally posted by Pajn View Post
              Yes and no.

              You can disable kexec when you build the kernel. However you can then
              build kexec in a kernel module (this is hacky but works, it's used on
              Android phones to boot a custom kernel even with locked bootloader).

              Of course you can disable kernel modules altogether but that would
              be very limiting for the system.
              Depends on the system. For a phone? Tablet? Anything else with 'locked in' components? Not really. It has THESE parts and only THESE parts.

              Laptops, Desktops, and Servers? Okay, granted. But the absolute worst case scenario there is that you compile everything you're supporting into the kernel and not do them as modules.

              Comment


              • #8
                Originally posted by Ericg View Post
                Depends on the system. For a phone? Tablet? Anything else with 'locked in' components? Not really. It has THESE parts and only THESE parts.

                Laptops, Desktops, and Servers? Okay, granted. But the absolute worst case scenario there is that you compile everything you're supporting into the kernel and not do them as modules.
                Proprietary graphic drivers could be quite nice to have...

                Comment


                • #9
                  Originally posted by Pajn View Post
                  Proprietary graphic drivers could be quite nice to have...
                  No way to compile the kernel portion of Nvidia and AMD drivers in? It'd be up to the individual distros then but still

                  Comment


                  • #10
                    Originally posted by Ericg View Post
                    No way to compile the kernel portion of Nvidia and AMD drivers in? It'd be up to the individual distros then but still
                    No that is totally against the GPL license.
                    You can't mix GPL and proprietary code.

                    Comment


                    • #11
                      Surely a machine owner can patch Fedora to permit Kexec w/ Secure Boot

                      Originally posted by smitty3268 View Post
                      I'm not sure why. It just means that any kernel booting into Secure Mode has to have kexec disabled.

                      Just like DVD's css and Blu-Ray DRM, once again a corporate attempt to control what people do with what they have already bought and paid for has been defeated!

                      Should be easy enough to reconfigure Fedora (or anything else) to permit kexec with secure boot, say for a machine with a locked/buggy UEFI that does not permit turning Secure Boot off. For this a signed kernel NOT booting into any kind of Secure Mode would be booted with secure boot still activated. I think this is Ubuntu's default approach, as it makes the use of proprietary or other third party drivers much easier, as they do not have to be signed. Ubuntu Server should probably offer an option to change that, however. After all, blocking unsigned modules (or ALL modules) is an established technique to harden any system that will be run only with known hardware, such as a server, and is ineffective if a reboot to an arbitrary kernel is possible. Ideal approach would be a boot-time only option for secure mode or not, on the same signed kernel bootable from UEFI with Secure Boot enabled.

                      I could see cases, such as UEFI only accessable from inside Windows, where a kexec-style exploit is needed to essentially root your laptop. Still chicken-and-egg if starting from Linux on machines that offer no option to stop Windows 8 from booting and have a soldered-down disk, however. The other problem is machines like the MS Surface, with no option to run anything but Windoze. For these, a port of kexec to the Windows kernel would allow rebooting to Linux, either for a session or to load code to root the firmware to install other keys and/or disable Secure Boot. That will be the final crack of Secure Boot as a form of DRM. It took 6 months for someone to jailbreak the first iPhone, and they got a blizzard of bluffing threats from Crapple as I remember. Now rooted phones are everywhere, and Hollywood is crying.

                      I can really only see one reason to keep Secure Boot, given than kexec can reboot into Windows 8 or later. This would be for an attempt to obstruct the insertion of software keyloggers into /boot on encrypted machines. In the wild, the MSS(China secret police) is known to prefer hardware keyloggers, even on laptops. Suspect the same of the FBI, so this would be no guarantee even if it was perfect. The "evil maid" software keylogger is simple in theory but in practice in the field easy to run into surprises while trying to implement against unknown machines where you don't even know in advance what OS you will be facing, this the popularity or hardware keyloggers.

                      Just don't count on that TPM not to have additional, hidden keys for the NSA and maybe the FBI the way MS Windows itself and ATA security set password commands do. If it does, they
                      could sign their "evil maid" initramfs with that key instead of yours. Thus, we need an open-hardware TPM next, the kind you can drop into the motherboard socket and epoxy down. Only then will there be any "secure" in Secure Boot when the NSA (or possibly the MSS) is the adversary.

                      Until then, we gain much and lose almost nothing from exploits against Secure Boot. Its not secure, as the hardware itself cannot be trusted.

                      Comment


                      • #12
                        Originally posted by Pajn View Post
                        No that is totally against the GPL license.
                        You can't mix GPL and proprietary code.
                        Isn't it also against to ship them by default included? There was multiple distros, for a long time, that shipped the Nvidia and AMD drivers on the liveCD's of their drivers and used them by default. Isnt that just as much against the license?

                        Comment


                        • #13
                          Originally posted by Pajn View Post
                          Yes and no.

                          You can disable kexec when you build the kernel. However you can then
                          build kexec in a kernel module (this is hacky but works, it's used on
                          Android phones to boot a custom kernel even with locked bootloader).

                          Of course you can disable kernel modules altogether but that would
                          be very limiting for the system.
                          That's why Android is disabling kernel modules by default now, hehe.


                          But yeah, as for kexec being able to do this, I'm surprised this hasn't been talked about before. I don't think it's any kind of "secret" really.

                          Comment


                          • #14
                            Originally posted by Ericg View Post
                            No way to compile the kernel portion of Nvidia and AMD drivers in? It'd be up to the individual distros then but still
                            No, because they're proprietary drivers distributed only in module form... no source, no object files... there simply isn't anything to compile in.

                            Comment


                            • #15
                              Originally posted by Luke View Post
                              Should be easy enough to reconfigure Fedora (or anything else) to permit kexec with secure boot.
                              No, you can't. That's the whole point.

                              You're basically saying you could break Secure Boot by launching a kernel that isn't approved that includes kexec - which implies you've already bypassed Secure Boot.

                              You either turned it off, or managed to key sign that kernel yourself to work, in which case there is no reason to use kexec to bypass anything, since you already have.

                              Comment

                              Working...
                              X