Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Secure Boot
Survival Guide
Gary Lin
Software Engineer – SUSE Labs
glin@suse.com
什麼是 Secure Boot ?
先來談談 UEFI 吧!
UEFI
Hardware
Firmware
Unified Extensible Firmware Interface
OS
Based on http://en.wikipedia.org/wiki/Unified_Extensible_F...
其實就跟 BIOS 一樣
啦!
BIOS 時代
BIOS Bootloader
UEFI 時代
UEFI UEFI Image
UEFI 的 Secure Boot 為
Windows 8 認証的必要
條件
所以說什麼是 Secure Boot ?
鎖
UEFI UEFI Image
Secure Boot
UEFI
Secure Boot
Verified
UEFI Image
?
Bootloader
UEFI
OS
db
db
PK
KEK
db
這些 key 是哪裡來的?
硬體出廠前預先載入的
UEFI
PK
KEK
db
UEFI CA
銅鑼灣只有一個浩南
UEFI 只有一個 CA
Microsoft UEFI CA
UEFI CA Signing Policy
● 入會費 $99
● 送審者需有 EV Certificate (2014/3 起 )
● 只接受產品等級的程式
● 不接受 GPLv3 授權的程式,如 Grub2
http://blogs.ms...
http://farm3.staticflickr.com/2559/4199675334_66c3e3d61d.jpg
Linux 使用者 / 發行商有
什麼選擇?
方案一
不爽不要用
可是客戶要求 ...
方案二
隔開 UEFI 與 Grub2
shim (Matthew Garret)
PreLoader (James Bottomley)
shim
db
OS Vendor
load
db
AT Var
UEFI load Grub2
Vendor
Kernel
Vendor
AT: Authenticated
但是 ...
使用者還是不能隨意修改
方案二 改
自己的程式自己簽
UEFI Variables
● Authenticated Variable
● Runtime Service Variable
● Boot Service Variable
UEFI Variables
Boot Service Runtime Service Authenticated
UEFI - Read Yes Yes Yes
UEFI - Write Yes Yes Restricted
OS - Rea...
Machine Owner Key
shim
db
OS Vendor
MOKList
BS Var
load
db
AT Var
UEFI load Grub2
MOK
Kernel
MOK
AT: Authenticated
BS: Boot Service
Grub2
Vendor
Kernel
MOK
Kernel
Vendor
Grub2
MOK
load load
load
load
load
shim
db
OS Vendor
MOKList
BS Var
mokutil --import
MOKNew
RT Var
Password
shim MokManager
MOKList
BS Var
load
3. verify
4.enroll
reboot
1. request
2.detect
...
簽章工具 -- pesign
● 針對 PE-COFF 的簽章工具
● 使用 Mozilla NSS 管理憑證
● 支援多重簽章
pesign 用法
● 初始化資料庫
– $ certutil -N -d certdb
● 載入公私鑰
– $ pk12util -d certdb -i mykey.p12
● 簽章
– $ pesign -n certdb -c myke...
使用 shim+MOK 的
distro
● SUSE Enterprise Linux / openSUSE
● Red Hat Enterprise Linux / Fedora
● Ubuntu
● Alt Linux
● more
Secure Boot 不再是
Linux 的問題
我有 Secure Boot 我超強!
Hack In The Box 2014
Setup for Failure: More Ways to
Defeat SecureBoot
http://haxpo.nl/hitb2014ams-kallenberg-cornwell-kov...
Not So Secure
● 某 A 廠沒保護好關鍵的 UEFI
variable
● 某些廠商沒設定好 SPI Flash 的保
護機制
沒有絕對安全的系統
請時常注意安全更新
http://farm3.staticflickr.com/2698/4304968451_677b6a2cb5.jpg
photo credit: Marco Bellucci via photopin
photo credit: J. Star
https://www.flickr.com/photos/jstar/409405305/
References
● UEFI Forum
http://www.uefi.org/
● Wikipedia: UEFI
http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_In...
Backup
UEFI 的好處
● BSD 開放原碼授權的參考實作 (edk2)
● 以 C 為開發語言
● 多硬體架構支援,如 x86-64, IA-32,
IA-64, ARM, AArch64
● 模組化設計
Upcoming SlideShare
Loading in …5
×

8

Share

Download to read offline

Secureboot Survival Guide

Download to read offline

Slides for COSCUP 2014

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Secureboot Survival Guide

  1. 1. Secure Boot Survival Guide Gary Lin Software Engineer – SUSE Labs glin@suse.com
  2. 2. 什麼是 Secure Boot ?
  3. 3. 先來談談 UEFI 吧!
  4. 4. UEFI Hardware Firmware Unified Extensible Firmware Interface OS Based on http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#mediaviewer/File:Efi-simple.svg
  5. 5. 其實就跟 BIOS 一樣 啦!
  6. 6. BIOS 時代 BIOS Bootloader
  7. 7. UEFI 時代 UEFI UEFI Image
  8. 8. UEFI 的 Secure Boot 為 Windows 8 認証的必要 條件
  9. 9. 所以說什麼是 Secure Boot ?
  10. 10.
  11. 11. UEFI UEFI Image Secure Boot UEFI Secure Boot Verified UEFI Image ?
  12. 12. Bootloader UEFI OS db db PK KEK db
  13. 13. 這些 key 是哪裡來的?
  14. 14. 硬體出廠前預先載入的
  15. 15. UEFI PK KEK db UEFI CA
  16. 16. 銅鑼灣只有一個浩南
  17. 17. UEFI 只有一個 CA
  18. 18. Microsoft UEFI CA
  19. 19. UEFI CA Signing Policy ● 入會費 $99 ● 送審者需有 EV Certificate (2014/3 起 ) ● 只接受產品等級的程式 ● 不接受 GPLv3 授權的程式,如 Grub2 http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx
  20. 20. http://farm3.staticflickr.com/2559/4199675334_66c3e3d61d.jpg
  21. 21. Linux 使用者 / 發行商有 什麼選擇?
  22. 22. 方案一 不爽不要用
  23. 23. 可是客戶要求 ...
  24. 24. 方案二 隔開 UEFI 與 Grub2
  25. 25. shim (Matthew Garret) PreLoader (James Bottomley)
  26. 26. shim db OS Vendor load db AT Var UEFI load Grub2 Vendor Kernel Vendor AT: Authenticated
  27. 27. 但是 ...
  28. 28. 使用者還是不能隨意修改
  29. 29. 方案二 改 自己的程式自己簽
  30. 30. UEFI Variables ● Authenticated Variable ● Runtime Service Variable ● Boot Service Variable
  31. 31. UEFI Variables Boot Service Runtime Service Authenticated UEFI - Read Yes Yes Yes UEFI - Write Yes Yes Restricted OS - Read No Yes Yes OS - Write No Yes Restricted * 此處指 Non-volatile Variables
  32. 32. Machine Owner Key
  33. 33. shim db OS Vendor MOKList BS Var load db AT Var UEFI load Grub2 MOK Kernel MOK AT: Authenticated BS: Boot Service
  34. 34. Grub2 Vendor Kernel MOK Kernel Vendor Grub2 MOK load load load load load shim db OS Vendor MOKList BS Var
  35. 35. mokutil --import MOKNew RT Var Password shim MokManager MOKList BS Var load 3. verify 4.enroll reboot 1. request 2.detect Linux UEFI RT: Runtime
  36. 36. 簽章工具 -- pesign ● 針對 PE-COFF 的簽章工具 ● 使用 Mozilla NSS 管理憑證 ● 支援多重簽章
  37. 37. pesign 用法 ● 初始化資料庫 – $ certutil -N -d certdb ● 載入公私鑰 – $ pk12util -d certdb -i mykey.p12 ● 簽章 – $ pesign -n certdb -c mykey -s -i myloader.efi -o myloader-signed.efi For more details: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
  38. 38. 使用 shim+MOK 的 distro ● SUSE Enterprise Linux / openSUSE ● Red Hat Enterprise Linux / Fedora ● Ubuntu ● Alt Linux ● more
  39. 39. Secure Boot 不再是 Linux 的問題
  40. 40. 我有 Secure Boot 我超強!
  41. 41. Hack In The Box 2014 Setup for Failure: More Ways to Defeat SecureBoot http://haxpo.nl/hitb2014ams-kallenberg-cornwell-kovah-butterworth/
  42. 42. Not So Secure ● 某 A 廠沒保護好關鍵的 UEFI variable ● 某些廠商沒設定好 SPI Flash 的保 護機制
  43. 43. 沒有絕對安全的系統 請時常注意安全更新
  44. 44. http://farm3.staticflickr.com/2698/4304968451_677b6a2cb5.jpg photo credit: Marco Bellucci via photopin
  45. 45. photo credit: J. Star https://www.flickr.com/photos/jstar/409405305/
  46. 46. References ● UEFI Forum http://www.uefi.org/ ● Wikipedia: UEFI http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface ● Microsoft UEFI CA Signing Policy http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx ● Will your computer's "Secure Boot" turn out to be "Restricted Boot"? http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot ● shim https://github.com/mjg59/shim ● preloader http://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git ● Machine Owner Key https://www.suse.com/communities/conversations/uefi-secure-boot-details/ ● mokutil https://github.com/lcp/mokutil ● pesign https://github.com/vathpela/pesign ● Alt Linux UEFI Secure Boot mini-HOWTO http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
  47. 47. Backup
  48. 48. UEFI 的好處 ● BSD 開放原碼授權的參考實作 (edk2) ● 以 C 為開發語言 ● 多硬體架構支援,如 x86-64, IA-32, IA-64, ARM, AArch64 ● 模組化設計
  • cawxauxzbemltmp

    Aug. 18, 2018
  • ChrisLee182

    Jun. 13, 2016
  • nomadnite

    May. 4, 2015
  • keithtseng5

    May. 3, 2015
  • ssusercd43c4

    May. 3, 2015
  • bcbcarl

    May. 3, 2015
  • BillyWay1

    Mar. 4, 2015
  • cdarkz

    Jul. 21, 2014

Slides for COSCUP 2014

Views

Total views

1,467

On Slideshare

0

From embeds

0

Number of embeds

21

Actions

Downloads

48

Shares

0

Comments

0

Likes

8

×