Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Similar documents
Manufacturing Tools in the UEFI Secure Boot Environment

Implementing Secure Boot: A Refresher on Key & Database Configuration

Firmware Implementation Techniques to Achieve Windows 8 Fast Boot

Microsoft UEFI Certification Authority

SSN Lab Assignment: UEFI Secure Boot

PreBoot Provisioning Solutions with UEFI

System Prep Applications A Powerful New Feature in UEFI 2.5

Use of Mojo PowerPoint Template. Your name, Title

TUX : Trust Update on Linux Kernel

EFI Secure Boot, shim and Xen Current Status and Developments

Using the UEFI Shell. October 2010 UEFI Taipei Plugfest Insyde Software

General Firmware Overview of Recommendations for Window OS

ARM Server s Firmware Security

CIS 4360 Secure Computer Systems Secured System Boot

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

UEFI What is it? Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Dong Wei (ARM) presented by. Updated

Deploying Secure Boot: Key Creation and Management

Leveraging Windows Update to Distribute Firmware Updates Model Based Servicing (MBS)

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Windows 8 Uefi Bios Update Step By Step Guide Msi Usa

Support Notes for Red Hat Enterprise Linux ES v.4.6 for HP Integrity Servers

Tailoring TrustZone as SMM Equivalent

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018

IA32 OS START-UP UEFI FIRMWARE. CS124 Operating Systems Fall , Lecture 6

Cisco Secure Boot and Trust Anchor Module Differentiation

ARM Trusted Firmware ARM UEFI SCT update

Debugging under Unified Extensible Firmware Interface (UEFI): Addressing DXE Driver Challenges

Oracle Linux. UEFI Secure Boot Signing Key Update Notice

UEFI Plugfest March

UEFI ARM Update. UEFI PlugFest March 18-22, 2013 Andrew N. Sloss (ARM, Inc.) presented by

Windows Devices. Device Capabilities. Premium. Entry

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Linux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage

UEFI in Arm Platform Architecture

UEFI Forum Update. UEFI Spring Plugfest March 29-31, 2016 Presented by Dong Wei (The UEFI Forum)

I Don't Want to Sleep Tonight:

Big and Bright - Security

Venafi Server Agent Agent Overview

Engineering UEFI Firmware for Windows: Best Practices and Pitfalls to Avoid

HP Intelligent Provisioning 2.20 Release Notes

Dell OpenManage Deployment Toolkit 5.5 for Embedded Linux Release Notes

Intel Transparent Computing

Building Better Firmware Experience An OEM Perspective

UEFI and the Security Development Lifecycle

"Last Mile" Barriers to Removing Legacy BIOS

Configuring TPM Firmware Version

Systems management is a key part of the IT

Intelligent Provisioning 2.70 Release Notes

UEFI Test Tools For Linux Developers

Hardware Prototyping Using a Windows-Hosted UEFI environment

One-Stop Intel TXT Activation Guide

2018/04/11 18:35 (UTC) 1/13 UEFI dual or more boot using refind

This line defines Therefore, if your windows entry on the GRUB menu is 8 you should set this value to 7.

Standardized Firmware for ARMv8 based Volume Servers

DELLEMC. TUESDAY September 19 th 4:00PM (GMT) & 10:00AM (CST) Webinar Series Episode Nine WELCOME TO OUR ONLINE EVENTS ONLINE EVENTS

UEFI and IoT: Best Practices in Developing IoT Firmware Solutions

Creating the Complete Trusted Computing Ecosystem:

UEFI Porting Update for ARM Platforms

Impact of platform firmware on Linux kernel. Megha Dey, Sai Praneeth Prakhya Intel Open Source Technology Center

UEFI State of the Union Ecosystem enabling update

Dell OpenManage Deployment Toolkit 5.3 for Embedded Linux Release Notes

Enabling Advanced NVMe Features Through UEFI

GSE/Belux Enterprise Systems Security Meeting

Solutions for the Intel Platform Innovation Framework for EFI July 26, Slide 1

QL45xxx UEFI HII BIOS. 5/4/2016 Karl Erickson

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Provisioning secure Identity for Microcontroller based IoT Devices

UEFI Manageability and REST Services

Attacking and Defending the Platform

WD AV GP Large Capacity Hard Drives

How To Startup Windows Service Windows 7. Repair Dual Boot >>>CLICK HERE<<<

Impact of platform firmware on Linux kernel. Megha Dey, Sai Praneeth Prakhya Intel Open Source Technology Center

Setup Lab. A quick guide to infrastructure tools for EPL371

CSE543 - Computer and Network Security Module: Trusted Computing

Introduction to EFI. Dong Wei & Jason Reasor

Introduction to Standards based approach to Server

SUSE Linux Enterprise Server 11 Support Pack 2 Support Notes

UEFI / Bios was denn das?

GELI Support for UEFI

Manually Installing Windows Updates Server 2008 R2 On Vmware 8 >>>CLICK HERE<<<

UEFI Secure Boot and DRI. Kalyan Kumar N

Intelligent Provisioning 3.10 Release Notes

UEFI updates, Secure firmware and Secure Services on Arm

BitLocker: How to enable Network Unlock

One-Stop Intel TXT Activation Guide

Open Source Facebook. David Hendricks: Firmware Engineer Andrea Barberio: Production Engineer

Configuring Server Boot

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Fedora 12. For guidelines on the permitted uses of the Fedora trademarks, refer to fedoraproject.org/wiki/legal:trademark_guidelines.

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Firmware. OSF (open System. Gundrala Devender Goud Engineering Director/Azure/Microsoft OCP/OSF Project Lead

Dell EMC OpenManage Deployment Toolkit for

Parallels Workstation 4.0 Extreme Read Me

The Future of Security is in Open Silicon Linux Security Summit 2018

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

Managing Persistent Memory Tiffany Kasanicky Intel

1 FOSDEM like real computers - Making distributions work on single board computers André Przywara 04/02/2018

CIS 191A Final Exam. Fall CIS 191 Final Exam

Transcription:

presented by Strengthening the Chain of Trust Kevin Lane HP Jeff Bobzin Insyde Software August Updated 22, 2014 2011-06-01

Agenda Quick Intro to UEFI UEFI Myths Using Linux + Secure Boot Continuing the Chain-of- Trust www.uefi.org 2

UEFI Specification: What Is It? Defines a PC operating system and platform firmware interface Replaces Basic Input/Output System (BIOS) firmware interface Note: most UEFI images provide legacy support for BIOS services. Consists of platform data tables, boot and runtime service calls Supports remote diagnostics and repair, even without an OS Standardizes booting of OSes and running pre-boot applications Evolved from Intel s EFI (Extensible Firmware Interface) specification Note: EFI was deprecated by UEFI in 2005. Managed by the UEFI Forum www.uefi.org 3

UEFI Specification: Milestones Mid-90s: First Intel HP Itanium system development occurs BIOS limitations (e.g., 16-bit processor mode, 1 MB addressable space and PC AT hardware) don t meet needs of larger server platforms 1998: Intel creates EFI (originally Intel Boot Initiative") to solve BIOS issue 2005: Intel ceases EFI spec development at v1.10; contributes it to UEFI Forum Original EFI specification remains owned and licensed by Intel 2007: UEFI Forum releases UEFI specification v2.1 Adds cryptography, network authentication, user interface architecture (UEFI s Human Interface Infrastructure) 2008: UEFI Forum releases UEFI specification v2.2 Adds Secure Boot 2013: UEFI Forum releases current UEFI specification v2.4 www.uefi.org 4

Secure Boot: What Is It? Security protocol component of UEFI Secures the boot process by preventing loading of drivers or OSes that are not digitally signed in with acceptable markers Prohibits the ability of rootkits to install themselves into the computer system s boot loader Required WITH UEFI firmware by all manufactured PC s since advent of Windows 8 and 8.1 Secure Boot keys were developed by Microsoft and embedded in the UEFI firmware on the system. The UEFI feature causing the most Linux boot issues www.uefi.org 5

Myth #1 I can t install Linux on a UEFI Computer! UEFI will not prevent you from installing Linux or any other (supported) operating system. Secure Boot may make it difficult to install operating systems other than Windows 8. Some PC manufacturers also allow a legacy mode to be selected that will emulate a PC BIOS. www.uefi.org 6

Myth #2 Linux will not work with Secure Boot! Secure Boot can always be disabled, thus allowing you to install Linux or any other supported operating system. Most newer versions of the popular Linux distributions now ship with support for Secure Boot, allowing you to not only install with Secure Boot enabled in UEFI, but also helping to secure the chain of trust. www.uefi.org 7

Myth #3 I need TPM to get Secure Boot to work! TPM (Trusted Platform Module) Is just another layer that you can use to store your credentials. Was also implemented prior to UEFI on PC platforms (non-enterprise). Is already implemented by the major PC vendors, and offers an additional layer of security, but is not a prerequisite for Secure Boot. Is a hardware-based (chip) with an API layer that encompasses middleware and applications. www.uefi.org 8

What Can I Do With UEFI? The UEFI Shell A shell/terminal for the firmware Allows launching of UEFI applications (e.g., UEFI bootloaders) Can be used to obtain other system or firmware information (e.g., memory map (memmap), modifying boot manager variables (bcfg), running partitioning programs (diskpart), loading UEFI drivers, editing text files (edit), hexedit, etc.) uefitoolkit Provides examples of what you can do with EFI Driver development Intel Programmable boot options Implementation depends on Hardware vendor www.uefi.org 9

What Can I Do With UEFI? refind Boot Manager for EFI/UEFI NOT a boot loader All EFI-capable Operating Systems include boot loaders. Most EFI implementations should provide a boot manager. Sadly, most are very poor or useless. www.uefi.org 10

How Do I Get Linux To Work With Secure Boot? Why not just disable Secure Boot? This is BAD Mojo! The main reason for Secure Boot is to keep the boot process and boot code secure. Disabling Secure Boot leaves you susceptible to rootkits that hide in the boot code and go undetected. Most major Linux distributions support Secure Boot! Add a signing key to the UEFI Firmware! www.uefi.org 11

Chain-of-Trust: Use Linux Distributions or Create Your Own www.uefi.org 12

Implementing A Trust Chain System Firmware Checks Pre-Loader Checks Linux Loader Checks Linux Kernel Checks www.uefi.org 13

Who Do We Trust? Firmware as the Root of Trust verifies First Stage Bootloader shim.efi binary is signed by either: 1) Microsoft CA installed into system at factory 2) OEM or Owner Created Key Certificate must be provisioned into system (db) www.uefi.org 14

Booting Continues shim.efi in turn verifies Grub2, and Grub2 uses shim service to verify Kernel grubx64.efi and kernel are signed by one of these: 1) Distro-created key inserted into Distro-created build of SHIM.EFI, (which must then be submitted to MS for signing) 2) Signed by Key enrolled by User during Linux Install (the MOK) www.uefi.org 15

Using The Distro Signing Transitions from UEFI to Distro Signing UEFI CA KEY SIGNED BY DISTRO KEY System Firmware Checks Pre-Loader KEY Checks Linux Loader Checks Linux Kernel www.uefi.org 16

Using The Disto Signed Boot Advantages: 1) Simple no per-machine configuration 2) Do not need to keep local-generated private keys secure Disadvantages: 1) Cannot use local-built grub, Linux, or drivers www.uefi.org 17

Machine Owner Key (MOK) Switch from UEFI to Local Security Space UEFI CA KEY SIGNED BY MOK KEY System Firmware Checks Pre-Loader MOK Checks Linux Loader Checks Linux Kernel www.uefi.org 18

Steps For Setting Up MOK Set up corporate infrastructure for creating public/private key pairs and keeping secure Use mokutil to request install On reboot, shim.efi loads MokManager.efi Load the MOK public key (kept safe by f/w) Sign all rebuilt components before install Note: requires hands-on config for every system www.uefi.org 19

Possible Site Policy UEFI CA DISTRO Machine Owner shim.efi grubx64.efi Linux Kernel Driver #1,3,4 Driver #2 Note: Approved Key Accumulate as Boot Progresses www.uefi.org 20

Site With Total Local Control Complete Local Security Space SIGNED BY MOK KEY System Firmware MOK Checks Pre-Loader MOK Checks Linux Loader Checks Linux Kernel www.uefi.org 21

Replacing The Factory UEFI DB 1) Use Efitools at http://git.kernel.org/cgit/linux/kernel/git/jejb/efit ools.git 2) Generate custom database in form of lockdown.efi 3) Clear firmware db using BIOS menus 4) Use BIOS menus to run lockdown.efi High-touch and For Experts Only! www.uefi.org 22

Help From Redhat Chapter 24.7 in Red Hat Enterprise Linux 7 System Administrators Guide https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ Fedora UEFI Secure Boot Guide http://docs.fedoraproject.org/en- US/Fedora/18/html/UEFI_Secure_Boot_Guide/chap-UEFI_Secure_Boot_Guide- What_is_Secure_Boot.html www.uefi.org 23

Help From SUSE/ opensuse Suse and Secure Boot: The Details https://www.suse.com/communities/conversations/uefisecure-boot-details/ http://en.opensuse.org/opensuse:uefi#booting_a_cust om_kernel Chapter 11 in SUSE Linux Enterprise Server Administrators Guide https://www.suse.com/documentation/sles11/book_ sle_admin/data/book_sle_admin.html www.uefi.org 24

Helpful Blogs And Web Books http://www.rodsbooks.com/efi-bootloaders/secureboot.html http://blog.hansenpartnership.com/uefi-secure-boot/ http://mjg59.dreamwidth.org/ http://uefidk.intel.com/blog www.uefi.org 25

For more information on the Unified EFI Forum and UEFI Specifications, visit http://www.uefi.org presented by www.uefi.org 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback