Re: EFI BoF at DebConf

[Steve McIntyre]

On Tue, Jul 31, 2012 at 02:28:28PM -0700, Steve Langasek wrote:
On Tue, Jul 31, 2012 at 02:40:25PM -0600, Paul Wise wrote:

 One thing I don't think anyone has discussed yet is how key
 transitions will work, if a distro-specific key is compromised, is the
 OS able to update the SB keys?

Any OS will be able to push signed updates to the DB and DBX variables,
adding new trusted keys or revoking keys / individual binaries.  However,
the only signed updates that will be accepted by the firmware are those
signed by keys already trusted /by the firmware/ (i.e., those present in the
kEK).  This means that in general, if you have a compromised key or
compromised binary, you need to go back to the CA (i.e., whoever is
providing a trust path back to KEK for you) and ask them to issue a
revocation.

Ah, right. I'd missed that part of the spec and I wasn't clear how
revocation is meant to work.

...

FWIW the UEFI working group seems to consider it an oversight that only one
signature is allowed per binary, and work is afoot to correct this.  But as
with other issues, it's probably too late to make a difference for the first
iteration of hardware.

ACK. :-(

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
C++ ate my sanity -- Jon Rabone


-- 
To UNSUBSCRIBE, email to debian-cd-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120804153338.gk32...@einval.com

Re: EFI BoF at DebConf

[Paul Wise]

On Fri, Jul 20, 2012 at 4:34 PM, Steve McIntyre wrote:

 Here's a summary of what we discussed in the EFI BoF [1] last week
 (9th July). Thanks to the awesome efforts of the DebConf video team,
 the video of the session is already online [2] in case you missed
 it. I've also attached the Gobby notes that were taken during the
 session. Again, thanks to the people who took part - we had a useful
 discussion.

One thing I don't think anyone has discussed yet is how key
transitions will work, if a distro-specific key is compromised, is the
OS able to update the SB keys?

 Any one binary can only be signed by one key.

Would it be possible/useful to circumvent this limitation by making
copies of the binary and then signing them?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-cd-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAKTje6EGV4vOSw2KeQgJVQqrZsf=r6wy0gzswuodqjqewsh...@mail.gmail.com

Re: EFI BoF at DebConf

[Steve Langasek]

On Tue, Jul 31, 2012 at 02:40:25PM -0600, Paul Wise wrote:

  Here's a summary of what we discussed in the EFI BoF [1] last week
  (9th July). Thanks to the awesome efforts of the DebConf video team,
  the video of the session is already online [2] in case you missed
  it. I've also attached the Gobby notes that were taken during the
  session. Again, thanks to the people who took part - we had a useful
  discussion.

 One thing I don't think anyone has discussed yet is how key
 transitions will work, if a distro-specific key is compromised, is the
 OS able to update the SB keys?

Any OS will be able to push signed updates to the DB and DBX variables,
adding new trusted keys or revoking keys / individual binaries.  However,
the only signed updates that will be accepted by the firmware are those
signed by keys already trusted /by the firmware/ (i.e., those present in the
kEK).  This means that in general, if you have a compromised key or
compromised binary, you need to go back to the CA (i.e., whoever is
providing a trust path back to KEK for you) and ask them to issue a
revocation.

  Any one binary can only be signed by one key.

 Would it be possible/useful to circumvent this limitation by making
 copies of the binary and then signing them?

It's certainly straightforward to take copies of a single binary and have it
signed by multiple keys.  It's even straightforward to remove one signature
from a binary and replace it with another.  What's not straightforward is to
provide a single boot image that can reasonably make use of such things,
since UEFI boots by looking for a single well-known path to boot from.

FWIW the UEFI working group seems to consider it an oversight that only one
signature is allowed per binary, and work is afoot to correct this.  But as
with other issues, it's probably too late to make a difference for the first
iteration of hardware.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

EFI BoF at DebConf

[Steve McIntyre]

[ Please note the cross-post and Reply-To ]

Hi folks,

Here's a summary of what we discussed in the EFI BoF [1] last week
(9th July). Thanks to the awesome efforts of the DebConf video team,
the video of the session is already online [2] in case you missed
it. I've also attached the Gobby notes that were taken during the
session. Again, thanks to the people who took part - we had a useful
discussion.

UEFI - background
=

Newer PCs are now coming with a BIOS replacement (UEFI). This provides
a very different set of firmware interfaces to the traditional BIOS
that will require different boot methods. For now, PC motherboards are
continuing to ship with legacy BIOS support but this won't last
forever. In Debian, we need to make sure we build in support for UEFI
in various places:

 * debian-installer
 * boot CDs (both installer and live)
 * boot loader(s)

There is also a second part to this puzzle: Microsoft's Secure Boot
specification. System vendors wanting MS certification for their
hardware (i.e. just about all vendors) will be required to ship their
hardware with Secure Boot enabled by default, although they will also
be required (on x86 systems) to include a method for end users to
disable Secure Boot somehow. Buyers of Windows systems based on ARM
CPUs will *not* get the same freedom.

Supporting UEFI
===

We already have some of the necessary components in Debian, but we
need to make sure that we support things all the way from initial
CD/USB/network boot through installation and partitioning to
installing an EFI-capable boot loader. People are planning on tackling
this, hopefully in time for the Wheeze release. This should not be
*too* difficult, we hope.

Most of the session was taken up by discussion of...

Secure Boot (or should that be Restricted Boot?)
==

We're most likely too late to do much about this in Debian for
Wheezy. There's a lot of work that would be needed, and a lot of
decisions to be taken. I was hoping that this BoF might be the venue
for those decisions, but that was too optimistic about what might
happen in a 45-minute session.

What we should expect: if Debian does not implement SB, then users
wishing to install Debian on MS-certified hardware will have a much
more awkward experience than previously, needing to navigate through
the firmware setup interface on their machine to find the place to
disable SB before. Only then will they be able to boot install/live
media. It will be difficult for us to help much on this front.

What others have done/said about SB
===

 * Fedora - RedHat
* Everything signed
* Full signing of the kernel stack. You even have to sign modules, so it
  complicates stuff for things like DKMS.

 * Ubuntu - Canonical
* not persuaded that it is safe to use GPLv3 bootloaders - differs from
  FSF view of the issue under best current legal advice with respect to
  their pre-installed requirements in-house.
* for now avoids going the path of fully signing the kernel stack
* for now: prevent the user to have anything to do with BIOS, SecureBoot
  key handling, etc.

 * FSF
* Tend to think that GPLv3 issues (such as risking the obligation to
  release private key content) are either not an issue or that the license
  can be changed to avoid them
  
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web

Future UEFI SB changes
==

Comes down to MS certification requirements as to what actually ships. Must be
possible to disable SecureBoot but will practically be done via access to the
firmware: usability obstacle. No clarity on how users can install their own
keys, down to particular vendor variability. Part of the spec but not
necessarily implemented by vendors - best effort only and might not work for
all.

Likelihood of changes in MS requirements via public pressure vs pressure on 
OEMs?
MS are not an implementor, certifier instead. Working with individual OEMs
won't provide 100% coverage. Some clarifications have been made as a result of
bad press from the initial announcements.

Note: MS trying to implement a different mechanism / monopoly play on ARM, 
including
no requirement for SecureBoot to be capable of being disabled on ARM. Increasing
deployment of ARM devices will become important. Makes Windows phones much less
appealing as hackable devices.

Larger customers may be able to stipulate particular configurations or OS-less
hardware but this isn't just a hobbyist problem.

Reasons behind the spec include virus protection which is being pushed by some
of the larger customers for the hardware. HP want users to run what they want
to run but also take into account requirements from the same customers about
protecting what does run.

Debian and SB?
==

What are the limitations on extra keys? Is another key useful?
  * could be unlikely to get a 

Re: EFI BoF at DebConf

[Stefan Lippers-Hollmann]

Hi

On Saturday 21 July 2012, Steve McIntyre wrote:
[…]
 Likelihood of changes in MS requirements via public pressure vs pressure on 
 OEMs?
 MS are not an implementor, certifier instead. Working with individual OEMs
 won't provide 100% coverage. Some clarifications have been made as a result of
 bad press from the initial announcements.

That ship has sailed, the first secure boot enabled consumer systems 
are already shipping[1] and windows 8 is about to go gold in roughly 
two weeks. Therefore both the specification and the first generation of
its implementation can be considered to be set in stone by now.

Regards
Stefan Lippers-Hollmann

[1] 
http://www.h-online.com/open/news/item/Aldi-PC-becomes-first-retail-PC-with-UEFI-Secure-Boot-1635893.html


--
To UNSUBSCRIBE, email to debian-cd-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201207210126.34209.s@gmx.de

Re: EFI BoF at DebConf

[Steve Langasek]

Hi Steve,

Thanks for the summary of the EFI BoF.  If you don't mind, I'm going to
piggy-back on this to provide a bit more info about Secure Boot.  Some of
this is just expanding on your notes with clarifications; other bits are new
information I've gleaned while attending the UEFI Summer Summit this week. 
But don't ask me to remember which parts are which, as it's all run a bit
together in my head. ;)

With many of my comments, I may be giving the impression that I think things
aren't that bad and that everything will be ok with Secure Boot.  I am in
fact very concerned about Secure Boot; we have some significant challenges
ahead for continued after-market compatibility with commodity machines as a
result of this change.  But to meet those challenges, we need to be focused
on the issues that are actually going to cause a problem.  For instance, I
*don't* think we should be worried that machines will go out the door with
the Windows 8 logo on them while failing to correctly implement SB
(including the disable and customization capabilities).  The Microsoft team
working on this are quite serious about getting it right, and they do have
a compliance testing process that exercises the SB aspect of the
requirements.  So while there may be a machine or two slipping through to
market that don't support SB in the required manner, these would be bugs -
and I have every reason to believe Microsoft will be open to bug reports
about them.

The things that are worrying me, and that I therefore think we need to focus
on, are the areas where the Win8 requirements *don't* cover us.

On Fri, Jul 20, 2012 at 11:34:13PM +0100, Steve McIntyre wrote:
 There is also a second part to this puzzle: Microsoft's Secure Boot
 specification.

Nitpick: Secure Boot is part of the UEFI specification; the part here that's
Microsoft's is the policy around how SB is to be used.

 System vendors wanting MS certification for their hardware (i.e.  just
 about all vendors) will be required to ship their hardware with Secure
 Boot enabled by default

Bearing in mind that they're only required to do this for Windows 8
certification.  Some machines may ship with Windows 8 preinstalled, but not
have SB enabled and thus not be certified; some may continue to ship with
Windows 7; some server machines may (at least in the short term) come with
firmware that doesn't implement Secure Boot.

And some vendors may ship with Windows 8 preinstalled but fail the Win8
certification requirements because they've managed to not actually support
disabling SB and/or updating keys.  Small comfort that this will result in
them not being able to use the Windows 8 logo if it means we won't be able
to use the machines at all.

Ironically this last bit means that the Windows 8 logo may wind up being the
*best* indicator of Linux compatibility for UEFI hardware.  Only time will
tell what we see in the market.

 Future UEFI SB changes
 ==

 Comes down to MS certification requirements as to what actually ships.
 Must be possible to disable SecureBoot but will practically be done via
 access to the firmware: usability obstacle.

More than just a practical implementation detail, it's by design that you
will only be able to disable SecureBoot via the firmware.  To allow a UEFI
application to disable SecureBoot for you noninteractively would almost
completely undermine the security model.  Now, I can't actually think of a
way that a UEFI application that *only* disabled SB could be used to
compromise a machine remotely; but it's in the Windows 8 reqs that the
firmware must not allow SB to be disabled programmatically.
(System.Fundamentals.Firmware.UEFISecureBoot 18)

 No clarity on how users can install their own keys, down to particular
 vendor variability.

James Bottomley appears to be addressing this:

  git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

Provided you can get the machine into setup mode or custom mode in the first
place (which is supposed to be guaranteed by the Win8 reqs), the tools here
should allow you to non-interactively install your own keys without
resorting to the vendor's firmware UI.

  Part of the spec but not necessarily implemented by vendors - best effort
 only and might not work for all.

FWIW, my understanding is that MS's logo compliance testing is expected to
catch this case.

 It is quite possible that one or more OEM's will simply not bother to
 implement the option to disable SecureBoot or put it in but not adequately
 test it.  Current certification requires a switch to be available but no
 requirement for this to be obvious.  Turned off, the machine cannot or may
 not be able dual-boot Windows8 depending if turning it off means switching
 firmware to BIOS compatibility mode or just not cheching the signature
 from EFI.

Hmm, I don't remember this being discussed during the BoF.  I think it's
clear from context that when the Win8 requirements speak of disabling Secure
Boot, they mean not enforcing