Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

Similar documents
IoT devices: secure boot and sw maintenance. Open IoT Summit Igor Stoppa

The ultimate guide to software updates on embedded Linux devices

Birds of a Feather Session - OSS Vancouver Eystein Stenberg, Mender.io

Software Updates for Connected Devices

OP-TEE Using TrustZone to Protect Our Own Secrets

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

UEFI Secure Boot and DRI. Kalyan Kumar N

Android Bootloader and Verified Boot

Protecting your system from the scum of the universe

Session Overview. Background Integration Mender libostree (aktualizr) SWUpdate resin.io

ovirt Node November 1, 2011 Mike Burns Alan Pevec Perry Myers ovirt Node 1

Protecting your system from the scum of the universe

Lecture 3 MOBILE PLATFORM SECURITY

Integrity-checked block devices with device mapper. Mandeep Baines Will Drewry

How we added software updates to AGL

CLIP OS: Building a defense-in-depth OS with the Linux kernel and open source software

ovirt Node June 9, 2012 Mike Burns ovirt Node 1

Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer

LSS 2017: linux-integrity subsystem update Mimi Zohar

Isar. Build Debian-Based Products with BitBake. Baurzhan Ismagulov. Embedded Linux Conference Europe Oct 11-13, 2016 Berlin, Germany

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

LSS-EU 2018: Overview and Recent Developments Linux Integrity Subsystem

Technical Brief Distributed Trusted Computing

Unicorn: Two- Factor Attestation for Data Security

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Linux Kernel Security Update LinuxCon Europe Berlin, 2016

Manually Mount Usb Flash Drive Ubuntu Server

GSE/Belux Enterprise Systems Security Meeting

CompTIA Linux+ Guide to Linux Certification Fourth Edition. Chapter 2 Linux Installation and Usage

CIS 4360 Secure Computer Systems Secured System Boot

Linux Kernel Security Overview

Simple custom Linux distributions with LinuxKit. Justin Cormack

Read-only rootfs. Theory and practice. Chris Simmonds. Embedded Linux Conference Europe Read-only rootfs 1 Copyright , 2net Ltd

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

TUX : Trust Update on Linux Kernel

Building Debian-Based Products: Experiences in Collaboration

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

EMBEDDED LINUX ON ARM9 Weekend Workshop

Windows 10 Security & Audit

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

TPM v.s. Embedded Board. James Y

CompTIA A+ Certification ( ) Study Guide Table of Contents

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Linux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage

An Operating System Tailored for Containers and Built for the Embedded World

AN APPROACH TO DELIVER HARDWARE - DEPENDENT PACKAGES IN ORDER TO REDUCE EFFORT OF UPDATING AGL DISTRIBUTION IMAGES

A Security State of Mind: Container Security. Chris Van Tuin Chief Technologist, West

exam.30q. Number: Passing Score: 800 Time Limit: 120 min File Version: 1 LPI


Nexpose. Hardening Guide. Product version: 6.0

The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Platform Configuration Registers

Justifying Integrity Using a Virtual Machine Verifier

LSS 2016: linux-integrity subsystem status. Mimi Zohar

Trusted Computing and O/S Security


How to create a trust anchor with coreboot.

Installation of Fedora 12 with CD

Establishing and Sustaining System Integrity via Root of Trust Installation

An introduction to today s Modular Operating System

Using Linux as a Secure Boot Loader for OpenPOWER Servers

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Establishing and Sustaining System Integrity via Root of Trust Installation

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Windows 8 Uefi Bios Update Step By Step Guide Msi Usa

Contributing to Automotive Grade Linux and GENIVI Development Platform

Embedded lightweight unix

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Security features for UBIFS. Richard Weinberger sigma star gmbh

Securing Android-Powered Mobile Devices Using SELinux

Operating system hardening

I Don't Want to Sleep Tonight:

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Yocto Project components

Open Source Facebook. David Hendricks: Firmware Engineer Andrea Barberio: Production Engineer

An Introduction to Platform Security

Windows Devices. Device Capabilities. Premium. Entry

One-Stop Intel TXT Activation Guide

TITANIUM CLOUD VIRTUALIZATION PLATFORM

Use of Mojo PowerPoint Template. Your name, Title

Customizing the Yocto-Based Linux Distribution for Production

D1 - Embedded Linux. Building and installing an embedded and real-time Linux platform. Objectives. Course environment.

Productizing Linux Applications. What We ll Cover

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Improving the Yocto Project Developer Experience. How New Tools Will Enable a Better Workflow October 2016 Henry Bruce

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

PreBoot Provisioning Solutions with UEFI

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Welcome to Rootkit Country

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

SDK. About the Cisco SDK. Installing the SDK. Procedure. This chapter contains the following sections:

Intel Cache Acceleration Software (Intel CAS) for Linux* v2.8 (GA)

Securing IoT with the ARM mbed ecosystem

Secure Boot from A to Z

Enhance your Cloud Security with AMD EPYC Hardware Memory Encryption

Transcription:

Surviving in the wilderness integrity protection and system update Patrick Ohly, Intel Open Source Technology Center Preliminary version

Motivation for the talk Why bother? Why yet another talk? What s my background?

Personal background Security and update in Ostro OS meta-intel-iot-security/meta-integrity: IMA meta-swupd: Clear Linux* update mechanism Supporting an update mechanism in the Yocto Project? Comparison in the Yocto Wiki. Integrating dm-verity and whole-disk encryption into IoT OS Reference Kit for Intel Architecture * other names and brands may be claimed as the property of others 3

Why bother? Surviving Harden before shipping. Update once deployed to fix new vulnerabilities. in the wilderness Hostile environment: unauthorized users may be able to access, modify and boot a device. Integrity protection must ensure that a device only runs unmodified software, in an unmodified configuration. 4

Content of the talk Taxonomy of update mechanisms Interaction between system update and integrity protection Hands-on part with IoT Refkit 5

Taxonomy of update mechanisms

Candidates compared for yocto swupd OSTree swupdate mender.io https://wiki.yoctoproject.org/wiki/system_update

Key criteria Block based vs. file based Partition layout Integration with boot process Integration with update server for over-the-air (OTA) updates

Block vs. file update Block based: update partitions (swupdate, mender.io) Reboot required Partition size fixed Rewrite entire partitions File based: update individual files and directories (swupd, OSTree) Reboot may be optional (swupd) Same update stream can be applied to devices with different disk sizes Very efficient 9

Partition layout A/B setup: live partition and second partition that gets updated mender.io relies on this Supported by swupdate Could be done with OSTree and swupd Single partition Supported by swupdate Default mode of operation for OSTree and swupd Updating content outside of the rootfs partition? 10

Integration with boot process Choose what to boot into OSTree bind-mounts actual rootfs mender.io and swupdate set u-boot variables Rescue mode swupdate has recipe for fallback initramfs 11

Integration with update server Clients pull anonymously, need additional telemetry OSTree swupd Dedicated update server mender.io, including hosted service swupdate supports hawkbit 12

Integrity protection 13

Available options Linux Integrity Measurement Architecture (IMA) with Extended Verification Module (EVM) Whole-disk encryption with per-machine secret key dm-verity 14

IMA/EVM Originally designed for remote attestation based on measurements Extended to enforce locally the integrity of file content (IMA) and attributes (EVM) EVM tied to per-machine key Changes file system semantic: Data and xattr must match to make file usable, but get flushed independently (breaks sqlite, increases risk in case of power loss). Does not protect integrity of directory content and therefore susceptible to offline attacks: Disable services by removing files Replace trusted content with symlinks to untrusted content 15

Whole-disk encryption Integrity protection a side effect: attacker cannot modify files without knowing the secret key Offline modifications result in scrambled blocks, which may or may not be detected by the filesystem Key (pun intended) problem: creating and securing a per-machine encryption key 16

Dm-verity Originally designed for Chrome OS, also supported by Android Verifies integrity of each block in a read-only partition, modifications immediately lead to read error Boot process must verify integrity of short root hash Partition also usable without dm-verity 17

Compatibility between update and integrity swupd OSTree mender.io swupdate IMA/EVM Encryption dm-verity EVM needs per-machine key and writable rootfs, not compatible with block-based update swupd and OSTree need writable rootfs, not compatible with dmverity 18

Case study dm-verity and LUKS+TPM in IoT Reference OS Kit 19

Architecture UEFI firmware UEFI combo app Rootfs flash VFAT partition kernel + initramfs + systemd-boot EFI stub + boot parameters ext4, optionally with encryption or dm-verity

Target machine qemu swtpm + qemu-tpm patches MACHINE=intel-corei7-64 TianoCore/ovmf as firmware Fictional device with custom keys enrolled 21

System components: installer image Contains whole-disk images as input Production image free of installer components image-installer script generic part in image-installer.bbclass refkit part in refkit-installer-image.bb Installation: partition target disk, optional: set up whole-disk encryption with new key in TPM NVRAM, copy files Built with wic and new dm-verity.py source plugin which creates partition with hash data 22

SYSTEM components: initramfs Based on initramfs-framework (OE-core) New: initramfs-framework-refkit-dm-verity initramfs-framework-refkit-luks Same refkit-initramfs for all images, parameterized with per-image boot parameters 23

HOWTO TODO: adding layers, reconfiguring distro, building DEMO: initializing TPM, starting swtpm, booting installer image, booting installed image, updating that image with swupd 24

Opens Integration of UEFI signing A/B partition setup with swupd and/or OSTree Stateless rootfs Editing boot parameters or at least automatically adapting them to the current machine (serial port) 25

Questions? 26

LINKS TODO 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback