Debian’s support for Secure Boot on x86 and ARM

Slides:



Advertisements
Similar presentations
1 Dynamic Proxies Explained Simply. 2 Dynamic Proxies License Copyright © 2008 Ciaran McHale. Permission is hereby granted, free of charge, to any person.
Advertisements

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
CA ERwin r8 installing the application things you should know before installing your CA ERwin r8 Data modeling application.
Open Source Software – Lessons Learned
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Open Source Software A Commercial.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mike Azocar Sr. Developer Technical Specialist Microsoft Corporation
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Low level CASE: Source Code Management. Source Code Management  Also known as Configuration Management  Source Code Managers are tools that: –Archive.
Jul The New Geant4 License J. Perl The New Geant4 License Makes clear the user’s wide- ranging freedom to use, extend or redistribute Geant4, even.
Version Control with git. Version Control Version control is a system that records changes to a file or set of files over time so that you can recall.
© 2008 The McGraw-Hill Companies, Inc. All rights reserved. M I C R O S O F T ® Preparing for Electronic Distribution Lesson 14.
Content Management Systems …mostly Umbraco ALL ABOUT.
Linux Operations and Administration
Copyright and Software and You. What is copyright? The Copyright Act of 1976 prevents the unauthorized copying of a work of authorship. – However, only.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Release Process Maria Alandes Pradillo.
® IBM Software Group © 2012 IBM Corporation OPTIM Data Studio – Jon Sayles, IBM/Rational November, 2012.
Operating Systems AOIT Principles of Information Technology.
1 Multi-threaded Performance Pitfalls Ciaran McHale.
Adding Genes This presentation gives a quick overview on how to add Genes to Osprey.
Blue Diamond Scott Auge Amduus Information Works, Inc.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
April 30, 2007 openSUSE.org Build Service a short introduction Moiz Kohari VP Engineering.
Digital Intuition Cluster, Smart Geometry 2013, Stylianos Dritsas, Mirco Becker, David Kosdruy, Juan Subercaseaux Setup Instructions Overview 1. License.
End User License Agreement Permission to use and redistribute this Document is granted, provided that (1) the below copyright notice appears in all copies.
Andrew McNab - License issues - 10 Apr 2002 License issues for EU DataGrid (on behalf of Anders Wannanen) Andrew McNab, University of Manchester
Compatibility and Interoperability Requirements
Copyright © 2015 – Curt Hill Version Control Systems Why use? What systems? What functions?
A l a d d i n. c o m eSafe 6 FR2 Product Overview.
Week #3 Objectives Partition Disks in Windows® 7 Manage Disk Volumes Maintain Disks in Windows 7 Install and Configure Device Drivers.
Mike Gore School of Computer Science. This talk is on the Web in TWIKI format A more detailed copy of this talk can be access on with web page. Including.
Samba – Good Just Keeps Getting Better The new and not so new features available in Samba, and how they benefit your organization. Copyright 2002 © Dustin.
Chapter 8 Configuring and Managing Shared Folder Security.
Unix Shell Basics Edited from Greg Wilson's "Software Carpentry"
Changing Databases This presentation gives a quick overview on how to change databases in Osprey.
National Alliance for Medical Image Computing Licensing in NAMIC 3 requirements from NCBC RFA (paraphrased)
Digital Intuition Cluster, Smart Geometry 2013, Stylianos Dritsas, Mirco Becker, David Kosdruy, Juan Subercaseaux Search Basics – Templates Tutorial Overview.
1 Example Uses of Java Reflection Explained Simply.
End User License Agreement Permission to use and redistribute this Document is granted, provided that (1) the below copyright notice appears in all copies.
1 /15 Design and Implementation of the Custom Debian Distributions Toolkit (CDDT) 17 February 2006 Sergio Talens-Oliag II Open Source World.
Opening Windows to a Wider World Why Samba moved to GPLv3 Jeremy Allison Samba Team
Free as in Freedom, or Free as in Beer? Steve McIntyre Debian Project Leader 4th December 2009, Aberystwyth.
Introduction to CAST Technical Support
Patch Management Module 13.
Lesson 19: Configuring and Managing Updates
What is F/LOSS? By Scot Henderson.
Chuan-kai Lin Drake Diedrich Google Inc.
The Secure Boot Journey
Jester – The JUnit Test Tester
Resource Management in OGSA
What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.
Open Source Software: Top 10 Myths that Every In-House, Government, & Private Practice Lawyer Should Know 2017 NAPABA Convention Washington, D.C.
Mini Robot Chassis Top View
Outline What does the OS protect? Authentication for operating systems
Windows 8 Hardware Certification Program and KIT Overview
IM-pack: Software Installation Using Disk Images
A Fast Track into Device Guard
Deploy Plugins Developer 29 October 2013
Outline What does the OS protect? Authentication for operating systems
Device Guard: AppLocker on steroids
An Introduction to Device Drivers
The Application Lifecycle
Introduction to CAST Technical Support
Chapter 9: IOS Images and Licensing
IS3440 Linux Security Unit 4 Securing the Linux Filesystem
Chapter 2: The Linux System Part 1
TPM, UEFI, Trusted Boot, Secure Boot
NAVIGATING THE MINEFIELD
BEMS user Manual Fundación cartif.
Presentation transcript:

Debian’s support for Secure Boot on x86 and ARM Ben Hutchings Kernel Recipes, Paris, 2016

Ben Hutchings Regular Linux contributor since 2008 Working on various drivers and kernel code in my day job Debian kernel and LTS team member, now doing most of the kernel maintenance aside from ports Maintaining Linux 3.2.y and 3.16.y stable update series on kernel.org Kernel maintainer for LF Civil Infrastructure Platform, aiming for super-long-term support

Secure Boot Optional feature in UEFI - uses certificate store to validate boot loader, UEFI drivers, system firmware updates Protects against persistent malware (bootkit / kernel rootkit) if implemented correctly Required in 'Designed for Windows' systems since Windows 8 (2012) Only common trusted certificates on PCs are for Microsoft signing keys MS will sign PC boot loaders for a small fee, and the certificate store is normally editable on PCs ARM-based Windows systems are completely locked down HPe shipping ARM64 server systems in SB setup mode, allowing installer to set trusted certificates

GNU/Linux under Secure Boot First stage needs MS signature – manual submission process Most distributions introduced 'shim' as first stage boot loader that won't need updating often MS expects boot loader and kernel to validate code they load – and it's a good idea anyway For later stages, we control certificates and keys – certificates can be embedded in 'shim' GRUB needs to validate its modules and kernels Linux kernel needs to validate its modules and any other code that runs in kernel mode

Securing the Linux kernel Root user, including malware running as root, can modify kernel without using any security bugs MS signing requires kernel to validate code it runs – and it's also a good idea in general Using Matthew Garrett's patchset to add 'securelevel' feature, activated when booted under SB: Module signatures are mandatory kexec_load() is disabled – must use kexec_file_load() instead Hibernation is disabled – but images could be signed and validated using per-machine key Other kernel APIs that allow peek/poke are disabled Force-loading of modules into the wrong kernel version is disabled

The signature problem We don't want to expose signing keys to buildds Reproducible builds can't depend on anything secret So we can't auto-build signed binaries in single step Solution requires an extra source package: Build unsigned binaries from first source package Sign 'offline' and put detached signatures in second source package Build signed binaries from second source package

Introducing linux-signed The second source package for linux Contains detached signatures for specific kernel version and script to update them for a new kernel version linux builds binary packages like linux-image-4.7.0-1-amd64-unsigned linux-signed clones those packages, attaches signatures, and builds packages like linux-image-4.7.0-1-amd64 Signing currently done with my personal key, which will not be trusted by shim or GRUB

Signing in dak - background Debian archive software (dak) signs archive metadata using keys trusted by Debian systems Separate keys for stable releases, security updates, rolling releases Keys managed by 'FTP' team We want dak to also sign code from linux, grub, etc. and publish detached signatures Keys also managed by FTP team, possibly similar split between releases Mustn't publish complete binaries at this stage - need reproducibility, and might have an embargoed fix dak supports uploads with non-standard file types (byhand) and configured handlers (auto- byhand!)

Signing in dak - implementation Add auto-byhand script that converts tarball of EFI binaries and/or kernel modules to tarball of corresponding signatures Enable auto-byhand for all source packages that need code signing Include signature tarballs in signed archive metadata Change each first source package to include a suitable tarball in uploaded files (dpkg- distaddfile) Add preparation script to each second source package to download and unpack published signature tarball

Didn't Ubuntu already do this? Yes, but: Launchpad has a different hook mechanism Signing script only covers EFI binaries, not kernel modules Signing script produces signed binaries, not detached signatures Kernel is only signed on amd64 linux packages in Debian and Ubuntu have >10 years of divergence We'll still share shim, grub-signed, sbsigntool, etc.

Secure Boot on ARM? Upstream kernel has EFI stub for ARM32 and ARM64 We have out-of-tree kernel patches for securelevel on ARM64 sbsigntool works for ARM32 and ARM64 (although the test cases only cover x86) GRUB EFI code runs on ARM32 and ARM64 shim runs on ARM64 So we should be able to support Secure Boot on ARM64

Securing the signing keys Julien Cristau is working on signing with a PKCS#11 hardware security module – some model of Yubikey Signing with Yubikey is slow so we plan to use it for EFI binaries only; kernel modules will be signed with a separate key file

Current status Bug #820036 tracks work to be done dak support for signed packages – in progress shim package – in review GRUB signed build and validation of next stage Linux signed build – ready to go when dak is fwupdate signed build Signed binaries in installer and live images More information at https://wiki.debian.org/SecureBoot Aiming for stretch release (freeze in Jan 2017)

Credits Linux 'Tux' logo © Larry Ewing, Simon Budig. Modified by Ben to add Debian open-ND logo Debian open-ND logo © Software in the Public Interest, Inc. Debian slide template © Raphaël Hertzog Background image © Alexis Younes Linux 'Tux' logo © Larry Ewing, Simon Budig. Redistribution is free but has to include this notice. Modified by Ben to add Debian open-ND logo. Debian open-ND logo © Software in the Public Interest, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. OpenOffice.org template by Raphaël Hertzog http://raphaelhertzog.com/go/ooo-template License: GPL-2+ Background image by Alexis Younes “ayo” http://www.73lab.com/ 'Access denied' image by Mike Licht http://NotionsCapital.com License: CC-BY-2.0 - https://creativecommons.org/licenses/by/2.0/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.