extending the secure boot certificate and signature chain
play

Extending the Secure Boot Certificate and Signature Chain of Trust - PowerPoint PPT Presentation

Dec 06, 2022 •670 likes •847 views

Extending the Secure Boot Certificate and Signature Chain of Trust to the OS Fionnuala Gunter, fin.gunter@hypori.com Mimi Zohar, zohar@linux.vnet.ibm.com Secure Boot Chains of Trust Secure Boot places the root of PK trust in hardware

  1. Extending the Secure Boot Certificate and Signature Chain of Trust to the OS Fionnuala Gunter, fin.gunter@hypori.com Mimi Zohar, zohar@linux.vnet.ibm.com

  2. Secure Boot Chains of Trust • Secure Boot places the root of PK trust in hardware write KEK protected firmware and public keys KEK db • Public key certificates boot 
 var establish a chain of trust MoK List based on validating signatures db Shim • Firmware uses public key(s) to validate the signed bootloader MoK • The signed bootloader can GRUB2 then validate the signed kernel, and so on MoK Kernel

  3. Secure Boot Chains of Trust PK KEK • PK - Platform Key (OEM key) • KEK - Key Exchange Keys KEK db Database (OS vendor keys) boot 
 var MoK List • db - Signature Database db Shim • MoK - Machine Owner Key (the machine owner can replace boot components MoK GRUB2 using mokutils tool) MoK Kernel

  4. Extending the Secure Boot Certificate and Signature Chain of Trust to the OS Load Kernel validates public certificates key system keyring IMA keyring Load signed certificates Sign certificates IMA local CA signed/self-signed 3rd party certificates

  5. Methods for Loading IMA Local-CA Public Key on the System Keyring 1. Compile key into Linux Built into kernel kernel 2. Load the UEFI/MoK UEFI/MoK database keys DB (RedHat’s patches) system keyring Reserved 3. Pre-allocate space in the memory kernel image for IMA local-CA public key. Post load public key build, install key and resign kernel image. IMA local CA

  6. 
 Sign Certificates with IMA Local-CA Private Key • Which certificates and why? • Signing distro/3rd party certificates without a certificate signing request (CSR) 
 openssl ca -ss_cert cert.pem

  7. Load Signed Certificates onto IMA Keyring Kernel validates • Certificates containing a key used to verify file signatures certificates need to be signed by a IMA keyring system trusted key • This extends the signature Load Signed chain of trust to the OS Certificates • The dracut integrity module loads signed certificate keys onto the trusted .ima keyring signed/self-signed 3rd party certificates

  8. Labeling Filesytems with Signatures • The Linux kernel’s integrity subsystem verifies and appraises file integrity based on file signatures • Files are currently signed, post install, by walking the filesystem • A better, more complete solution is to include file signatures in software packages • This enables files to be automatically labeled with signatures during installation

  9. RPM File Signatures • Extended the existing rpm signing tool to include file signatures in packages • RPM plugin installs file signatures using post transaction element hook (psm_post) • Expected in rpm-4.13.0

  10. RPM Including File Signatures • New Command 
 rpmsign —addsign —signfiles PACKAGE_FILE • Sign Files Options 
 —fskpath and —fskpass

  11. RPM Including File Signatures • The new option signs all the file digests included in the package with libimaevm v1.0 • File signatures are stored in the package header under the tag RPMTAG_FILESIGNATURES • After including file signatures, the packages are signed normally

  12. RPM Installing File Signatures • When a package is installed, rpmfilesPopulate extracts file signatures from the package header and stores them in rpmfiles struct • The RPM plugin instantiates the post transaction element hook (psm_post) and writes the file signatures to security.ima xattr

  13. deb Including File Signatures • Control.tar.gz in the .deb packages contains a md5sums file • Include digest sums file in package (eg. sha256sums) • Append file signatures 
 cat sha256sums | evmctl sign_hash -a sha256 -key “${PRIVKEY}” > sha256sums

  14. deb Installing File Signatures • debhelper script and autoscript install ELF file and script signatures stored in the sha256sums file • debhelper script: dh_installfile-sigs • autoscript: postinst-file-sigs

  15. Next Steps • Upstream deb file signature extensions - feature request #766267 • Linux software distributors ship packages with file signatures

  16. References • https://wiki.ubuntu.com/SecurityTeam/SecureBoot • https://www.suse.com/documentation/sles11/ book_sle_admin/data/sec_uefi_secboot.html • http://blog.hansenpartnership.com/the-meaning-of- all-the-uefi-keys/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Top 10 Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure Boot Theory Internal boot ROM 1 st stage boot loader N th stage Verify signature Optional decrypt boot loader OS / Application 2

517 views • 25 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned into two categories: Security issues associated with the design Security issues associated with the system and application data once the

1.13k views • 25 slides
Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October 15, 2014 Marek Va sut < marex@denx.de > Secure and flexible boot with U-Boot bootloader Marek Vasut Software engineer at DENX S.E. since

382 views • 35 slides
Extending Tina With Secure On-line Accoun7ng

Extending Tina With Secure On-line Accoun7ng

Extending Tina With Secure On-line Accoun7ng Services Fernando Rocha Bara7eri (09138013) Flavio Kruger BiEencourt (10104029) Giovani

600 views • 56 slides
Setup For Failure: Defea0ng UEFI Secure Boot Corey

Setup For Failure: Defea0ng UEFI Secure Boot Corey

Setup For Failure: Defea0ng UEFI Secure Boot Corey Kallenberg @coreykal Sam Cornwell @ssc0rnwell Xeno Kovah @xenokovah John BuGerworth

1.22k views • 84 slides
Securing secure boot with System Management Mode Paolo Bonzini Red Hat, Inc. KVM Forum 2015

Securing secure boot with System Management Mode Paolo Bonzini Red Hat, Inc. KVM Forum 2015

Securing secure boot with System Management Mode Paolo Bonzini Red Hat, Inc. KVM Forum 2015 Outline UEFI overview Secure boot and SMM Chipset support: QEMU Hypervisor support: KVM Paolo Bonzini KVM Forum 2015 What is UEFI?

591 views • 29 slides
Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me Software-Consultant ERP, Supply Chain Contributor to U-Boot since 2017 Maintainer of the UEFI sub-system since 02/2019 I Want a Network Drive Many

598 views • 28 slides
Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Defeating Secure Boot with EMFI Ang Cui, PhD & Rick Housley {a|r}@redballoonsecurity.com

Defeating Secure Boot with EMFI Ang Cui, PhD & Rick Housley {a|r}@redballoonsecurity.com

Defeating Secure Boot with EMFI Ang Cui, PhD & Rick Housley {a|r}@redballoonsecurity.com PROJECT 1. Open-source project to democratize EMFI research 2. 2 years of work so far PROJECT Disclaimer: BadFET-style EMFI research is

1.55k views • 126 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT. BOOT https://github.com/boot-clj/boot BOOT TEMPLATES boot -d seancorfield/boot-new new -t tenzing -n <name> [+a <option>]* $ cd

566 views • 22 slides
Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Gschlberger/Gttfert 1 Introduction Research Studios Austria FG MicroLearning and Information Environments Bernhard Gschlberger

488 views • 19 slides
Package Repository Client and Server Joe Mistachkin @ Tcl 2016

Package Repository Client and Server Joe Mistachkin @ Tcl 2016

Package Repository Client and Server Joe Mistachkin @ Tcl 2016 https://eyrie.solutions/ What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for

562 views • 22 slides
Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org jeremy.allison@hp.com Where we are now : Samba 2.2 The current Samba is a credible replacement for a Windows server providing file and

529 views • 19 slides
Firewalls/Detection CS 161: Computer Security Prof. Raluca Ada Popa March 8, 2018 Controlling

Firewalls/Detection CS 161: Computer Security Prof. Raluca Ada Popa March 8, 2018 Controlling

Firewalls/Detection CS 161: Computer Security Prof. Raluca Ada Popa March 8, 2018 Controlling Networks On The Cheap Motivation: How do you harden a set of systems against external attack? Key Observation: The more network

949 views • 57 slides
Discussion on Space-Efficient Block Storage Integrity Moderated by Sam Small 600.624 Advanced

Discussion on Space-Efficient Block Storage Integrity Moderated by Sam Small 600.624 Advanced

Discussion on Space-Efficient Block Storage Integrity Moderated by Sam Small 600.624 Advanced Network Security March 11th, 2005 with slides by Vishal Kher Agenda More on the SAN model The Self-certifying File System (SFS) Provable

674 views • 39 slides
Automatic Generation of String Signatures for Malware Detection Scott Schneider, Kent Griffin

Automatic Generation of String Signatures for Malware Detection Scott Schneider, Kent Griffin

Symantec Research Labs Automatic Generation of String Signatures for Malware Detection Scott Schneider, Kent Griffin SRL Xin Hu University of Michigan, Ann Arbor Tzi-cker Chiueh Stonybrook University September 24, 2009 String

658 views • 26 slides
Indexing and Searching Indexing and Searching TDT4215 TDT4215 Indexing & Searching 3

Indexing and Searching Indexing and Searching TDT4215 TDT4215 Indexing & Searching 3

1 Indexing Approaches Indexing Approaches R. Baeza-Yates and B. R. Baeza-Yates and B. Ribeiro-Neto Ribeiro-Neto: : Modern Informa Modern Information Retrie ion Retrieval, l, Chapter 8. Chapt Chapter Chapter 8 1999 . 1999 1999

371 views • 13 slides
Indexing (COSC 488) Nazli Goharian nazli@cs.georgetown.edu Efficiency Difficult to analyze

Indexing (COSC 488) Nazli Goharian nazli@cs.georgetown.edu Efficiency Difficult to analyze

Indexing (COSC 488) Nazli Goharian nazli@cs.georgetown.edu Efficiency Difficult to analyze sequential IR algorithms: data and query dependency (query selectivity). O(q(cf max )) -- high estimate No standard analytical model to

817 views • 22 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas Hlsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 28 April 2015 Hash-based

586 views • 33 slides

More recommend