This is of course a slippery slope argument, but not neccesarily wrong: I think systemd is moving a FLOSS operating system towards one that has source but comes in binaries. You get an initrd that's not built by you, tucked in a kernel also not built by you, runs the userspace from an immutable image also not built by you, which can be updated with binary deltas also not built by you, etc...
This makes sense from the perspective of making a kitchen appliance for the home consumer market. It makes no sense at all from the perspective of making a Unix-like operating system with four freedoms from scratch and ensure it stays that way.
This mechanism makes perfect sense from the POV of every user (especially developers, who are often high-value targets) who isn't currently working on/actively contributing to low-level OS development. This is not a concern, unless your personal definition of computing freedom is equivalent with running Gentoo. If you want to tinker, there's always an escape hatch. Even macOS freely allows you to disable FileVault or System Integrity Protection (at your own risk).
Your freedom to tinker is not in conflict with my need to stay secure; in fact, when you're finally done with your tinkering, you too may appreciate the feeling of your data being secure against the most basic/common threats.
(I'm rarely in agreement with Poettering, but he's 100% on point here.)
I have no idea why having freedom would not include running Gentoo.
Gentoo, as a matter of fact, offers lots of freedom. Its package manager has built-in capability to distinguish licenses. You can choose between systemd or openrc. Musl or glibc. You can disable all sorts of configure options you don't want or need. You can use it stand-alone or inside another distro. You can specify cpu flags for the compiler globally and per package. You can drop in your own patches for any package (and yes, I use that too). You can more easily modify just about anything in the entire system than most distros.
Using Gentoo lets you build a useful system for whatever you do, from sources or binaries, tailored to your needs, without the burden of having to learn all of the different build systems, their dependencies, and weird quirks you'll come across as a package maintainer of any distro. Ever looked at the rpmspec of things you use? Or the patches in a Debian source package? Those details are all taken care of, but with portage still customizable on a high level.
I think the persons point was that for the average user freedom requires a lot of technical knowledge and fiddling. Gentoo is an example of a free system that needs a lot of technical knowledge and fiddling.
I picked on Gentoo because there's a vocal group of people who believe that unless you can trivially swap PID 1, your operating system is holding your freedom back. (And yes, I am saying this as someone who surgically swapped PID 1 to runit when Debian switched to systemd. I had more free time and less perspective.)
Let's put things differently. ssh-keygen(1) gives you the complete freedom to NOT have a passphrase on your private key, but asks you to provide one BY DEFAULT, which is the more secure choice. What you do with that choice is entirely up to you, but defaults matter, especially in security.
I don't quite get the arguments against the topic at all: if you don't want the added security, you can continue as you do now; and if you do want it, then you can compile and sign the entire software chain yourself; or get the precompiled one. Don't seem like there are any downsides here, or are there?
Developing trustworthy Linux-based systems in an open-source way
Common git repo for hosting Boot-firmware
Accelerating Linux Kernel Boot-Up for Large Multi-Core Systems
Leveraging and managing SBAT revocation mechanism on distribution level
Using U-boot as a UEFI payload
Measured Boot, Secure Attestation & co, with systemd
Secure Launch - DRTM solution on Arm platforms
no more bootloader: please use the kernel instead
OF != UEFI
> no more bootloader: please use the kernel instead
This had a post on HN before and I didn't find the arguments terrible compelling. I'm curious what security advantages they might be able to say exist though.
IIRC from a presentation the main point behind NMBL is to not reimplement an entire OS in the bootloader like GRUB. Instead you should use the kernel with an Initrd instead and should kexec if you wanna boot into a different kernel. That way you only really need to take care of the existing kernel and userspace security.
The problem with that is that it starts to muddy the TPM PCRs (read: makes the PCRs that should be predictable not predictable) if the kernel gets kexec'd and it just makes the boot processes just needlessly more complicated. Not to mention when the kernel/initrd fails to boot you are kinda SOL since you can't really do any meaningful boot count logic if it fails as it could even be a faulty kernel and not even reach the initrd.
I also haven't been able to be convinced that NMBL is better than a simple EFI bootloader that chainloads a kernel.
(THAT, cite of tptacek, fulfilling someone's request, downvoted - with.. such empty*, hypothetical argument ?? - so far it's a libel - at least make some effort to proof otherwise in that case Mr FSFdiscreditor..
*"easier to hide backdoors" - so you don't need source to check the _real_ code - only more effort)
-
vs attack surface ? (having no reasons for powerful adversaries)
> Instead of stealing your laptop the attacker takes the harddisk from your laptop while you aren't watching [...] makes a copy of it, and then puts it back.
I've never understood why people keep making this incredibly weak argument for secure boot.
Secure boot makes sense for a college computer lab, where any disk encryption is better than nothing, and you can't give everyone the password or it'd defeat the point.
Secure boot makes sense if you're a Microsoft-only company, as it's a closed-source OS anyway and Microsoft have the code-signing keys. It means your users only have one password to type in - and helpdesk can reset it remotely if a user forgets.
Secure boot makes sense if you're making something like an xbox or tivo where you want disk encryption but you can't give the owner the password, as they're the adversary you're trying to protect against.
And yet people instead ignore these benefits, and go for this spy thriller nonsense as if people are going to be crawling through the air vents and abseiling from the ceiling to interfere with my computer? If you're going to pretend to be James Bond you'd better also be learning ballroom dancing, kung fu, skiing and foreign languages.
What do average people do when something happens with their secure boot? Search the web, and apply whatever they find, hoping that their system boots again. They want a solution under 1 minute, and don't care whether they expose their system. Secure boot is utterly complicated, a mess, and badly documented and people doesn't know shit about it.
And we want this to be default for users? I like lennart's work, but this further complicates things A LOT. What happens in case of hardware failure? If parts of the drive becomes unreadable and you need to retrieve as much data as possible? Oops you forgot to enroll your recovery key...
What will people do to avoid data loss and to avoid learning how the system as a whole works? Create backups and those will be stolen by nefarious entities instead.
Linux is mostly not so complicated. But this latest post... if this becomes the norm, oh god, unnecessarily complicated way to protect against imaginary threat. How widespread these hard disk removals are in the wild? I know maybe 1 case in the last 10 years that was publicised.
People are paranoid about things they can't control and don't understand at all, and these measures calm their nerves. Whew, I'm so important, my data is so important, now I'm protecced. While the ones who really want your data already waltz in anytime they want into your system and you can't do shit against it, because you are expert at max in one domain. The threat modelling already tells you that the compromise you have to take is that there are peepz you can't defend against.
In a data loss situation you image the drive and decrypt it with your recovery key.
That has nothing to do with secure boot. You won't lose access to the drive, the issue is that you want to mostly not use that recovery key all the time.
Storing infrequently used private documents safely is something everyone in the modern world has familiarity with.
Very few people have any familiarity with the risk model of encryption, even if they need or should have encryption (with should have including: providing cover for people who need encryption by making encryption common). And even more people write down passwords rather then remember them.
For example: disk encryption keys basically never change, even if you change the password. So intercepting an image of the encrypted disk at time point A, and then intercepting the user typing the same password in at time point A+N gives you the password to decrypt the disk. You can also reverse the order of this.
If you boot your laptop up from a cold boot in any public area and enter your encryption password, then it's high probability a local security camera has just taken the password. So the attack model can be "get a shot of someone typing on the keyboard in public" and then later "image the drive and crack at your leisure".
If someone gets a copy of your drive image at an earlier point in time, then you change the password, then you mention what your old password was (because it's now "safe" right?), then you've just given them the ability to decrypt the old disk image, and probably the current one too (since they still have a copy of the encryption headers and thus the master keys, which didn't change).
With TPM based factors, these attacks become worthless: the drive separated from the computer, even if you know the user's password, can't be decrypted. The user changing their day-to-day password on the drive is a secure event because the password only works with the computer it's attached too, not independently.
Put a security system with a camera on it that sends an alert if someone gets close to it. Surely it would be a bizzare situation to have the highest level of cyber security and then not even be able to tell if someone broke physically into your house?
Quick survey. How many of you cyber security people out there "would not" be able to tell if someone broke into your house? :-) I'm betting a lot.
Makes sense. Big Tech are the only ones pushing for Secure Boot because it gives them control over our machines. With that they will be able to garden-wall our PCs the same way they do with our phones.
> And yet people instead ignore these benefits, and go for this spy thriller nonsense as if people are going to be crawling through the air vents and abseiling from the ceiling to interfere with my computer?
CBP and other countries' "border control" routinely forces people to let them examine their devices. That's bad enough, I'd at least be happy if there were an attestable way these pigs don't install malware on peoples' devices.
I'm surprised that the author doesn't mention Pureboot [0] or even Heads [1], the most user-friendly [2] way to use TPM on Linux and authenticate the boot process along with /root, /boot directories.
Also, there is no Microsoft involved in my laptop, i.e., the author's statement
> Microsoft's certificates are basically built into all of today's PCs
is wrong. I enjoy the coreboot with Heads on my Librem 14 with my own keys.
I wanted to avoid making this a "it's Lennart" point.
Even then, IME he's building software for 99% of users, which this covers.
It can be quite annoying when he makes life hard for the remaining 1% (or fraction thereof), but I'm not as antagonistic to him as others.
Also, he kinda mentions it in the "Anything Else?" section.
Not the firmware that doesn't ship with the MS keys at all, but the ability to insert your own keys and distrust the MS ones.
Have the bootloader boot automatically into an encrypted guest OS, and have it obtain the key transparently from the TPM. This way the hard drive can not be read outside of the machine. The guest OS allows easy login, can be used to let people borrow your pc in a trusted way, and can also serve as plausible deniability when asked to log in in front of authorities or otherwise being intimidated or forced.
Then configure the bootloader to boot an alt OS or show a boot menu for a specific key combo, and enter a passphrase to boot into the real, 'hidden' OS.
Lennart is technically doing good work.
While his tools are less complicated than the current hilariously convoluted standard boot process, they are still too complicated to use well.
He also misses the point with the attack scenarios.
If you luks encrypt your data and choose a good passphrase, the brunt is done against theft.
Protecting against bad passwords is futile in the long run. (Will elaborate if requested.)
That someone images your drive for offline bruteforce or manipulates your boot binaries is rare.
The true benefit of signed boot chain is to have security patches work reteoactively, "compromise recovery".
Automated attacks and malware from the internet side are way more common.
Imagine one of your daemons is compromised. As long as it does not escalate privileges, it can only gain persistence via corruptable data files or config accessible to itself.
Now a patch comes along that closes the hole that reinfects the daemon.
The malware will not start on daemon restart.
With signed booting you can bring that to the kernel and root.
Signed booting with rollback protection into a known good state.
As long as the malware is not part of that system it won't run on launch.
But who signs my stuff, especially my own scripts and automation?
Me of course, if I had good tooling.
If that became normal malware would just steal the key.
A TPM or other keybearer device lets you conditionally unlock a signing key.
So to sign, you can boot your system into a runlevel / target / ... that does not run auxiliary scripts from writable locations.
If that state is measured by the TPM, you can sign.
With good enough tooling this is workable.
If implemented well, this even helps maintenance of the system.
In the state of things now, its a horrible convoluted mess that doesnt give extra security but 10 more points at which you can break your boot.
+ UEFI itself is again a complexity monster full of holes on very many machines.
The whole x86 preboot stack amd or intel is a horrible complexity monster.
> But who signs my stuff, especially my own scripts and automation? Me of course, if I had good tooling.
There's already a mechanism, provided for DKMS - you enrol a 'Machine Owner Key' which only root can access, and any time you update your kernel (requiring you to recompile a kernel module), it gets signed with the MOK. Which of course means any malware that gains root access can sign itself too.
An alternative is that any time you update your kernel and reboot, things like the nvidia drivers would get disabled until you perform some special ceremony. Not that great for usability, we want people to install updates in a timely manner after all so we don't want to make it too inconvenient.
Another alternative is to only load code blessed by a Microsoft-approved Linux distro - the Ubuntu Core approach. But this requires abandoning the open source ethos.
> the attacker takes the harddisk from your laptop while you aren't watching
> You'll never notice they did that.
Won't you be safe if you put a colorful nail polish to your laptop screws and take picture of its pattern? Then you regularly compare the actual pattern with your picture.
I realize now you are talking about using the nail polish to detect if a screw has been removed as opposed to checking if the screws had been taken out and put back in a different order.
In that case, I would say 1) Nowadays with high res photos and various types of printers, I do think a pattern could be printed back onto a screw head, 2) there is no way you would be checking this every time the laptop was out of your site, let alone reapplying the polish, 3) there are numerous significantly simpler methods that achieve a better result.
> I do think a pattern could be printed back onto a screw head
I've never seen anything like that and don't believe it's practical. 3D-printed patterns will not look the same.
> there is no way you would be checking this every time
This entirely depends on your threat model and how much you suspect a tampering at specific conditions. In principle, you could even (automatically?) take a picture of all screws regularly and compare it with the original using some other, trusted device. In the worst case, you will find out about the tampering later, but it's a very different case than not knowing at all, forever.
> there are numerous significantly simpler methods that achieve a better result
What is simpler depends on the threat model and a person. But I don't disagree. For me, Secureboot is not a better method anyway.
Hello, this is a security auditor. Could you please confirm items on the following checklist?
1. A BIOS password exists, with at least 8 characters, not based on a single dictionary word or keyboard-run sequence, and not easily guessable in other ways.
2. Booting an OS from any non-default device requires entering the BIOS password.
3. GRUB entry for bringing up the firmware configuration does not bypass the password.
4. GRUB itself has a password defined, with similar password strength requirements.
5. Editing the kernel command line or accessing the raw GRUB command prompt requires the password and, likewise, cannot be used to boot kernel/initrd pairs from external media.
I don't trust bios passwords. There's probably some jumper on the
board that bypasses them or a previously planted hardware keylogger.
I always boot off separately stored immutable rescue media
whenever the machine has been out of my custody and checksum the
whole boot device. Your move.
Sorry, this is not a valid answer - you can checksum the boot device as much as you like, but I have not seen any procedure that ensures that you know the correct checksum. What could have helped you is not just a checksum, but a signature used with dm-verity.
What I do on my laptop is:
* BIOS password, of course. Note that this also prevents the attacker from resetting or turning off Secure Boot.
* Secure Boot enabled, with my keys only (no Microsoft keys).
* No GRUB, I use systemd-boot (part of systemd) and UKIs signed with my own key. Although, as I don't dual-boot, this might be an unneeded step. In any case, with Secure Boot enabled, systemd-boot does not allow editing kernel command line arguments at all and so cannot trick my UKI into doing anything else than what it is supposed to do.
* The main SSD partition is encrypted (with the passphrase that I have to type).
* The USB storage driver is not in the initramfs, so the storage device found by the initramfs is guaranteed to be my internal SSD.
* The Secure Boot keys are stored inside that encrypted partition and are used to dynamically sign new sd-boot releases and UKIs. I guarantee that I don't sign anything except UKIs that ask for my SSD password, and any shell-out possibility is treated as a bug.
* There is a separate set of keys for signing the custom rescue media, which is also a big UKI.
This way, the attacker cannot boot anything other than my UKI (first, because of the BIOS password, and second, because Secure Boot won't allow anything else), cannot obtain a shell by running something before I enter the password, and, therefore, cannot clone or overwrite my disk.
Note that this setup has also been criticized as insecure ("you don't use TPM, so you can't be secure, it's a theorem"), but I don't understand this argument.
As for the hardware keyloggers, you are, of course, right.
> * The USB storage driver is not in the initramfs, so the storage device found by the initramfs is guaranteed to be my internal SSD.
Do note, if you are using systemd-gpt-auto-generator with the DPS[1] it only searches for a root partition on the drive with the booted from kernel[2] (and any other DPS partitions are searched for from the drive with the root partition, so if you somehow specify a different drive than the one with the boot loader it will search on that different drive)
Is this for real? Is the initramfs not signed and authenticated? if that was the case it would be a very serious and obvious flaw I would have thought.
This makes sense from the perspective of making a kitchen appliance for the home consumer market. It makes no sense at all from the perspective of making a Unix-like operating system with four freedoms from scratch and ensure it stays that way.