SlideShare a Scribd company logo
1 of 48
Download to read offline
Secure Boot
Survival Guide
Gary Lin
Software Engineer – SUSE Labs
glin@suse.com
什麼是 Secure Boot ?
先來談談 UEFI 吧!
UEFI
Hardware
Firmware
Unified Extensible Firmware Interface
OS
Based on http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#mediaviewer/File:Efi-simple.svg
其實就跟 BIOS 一樣
啦!
BIOS 時代
BIOS Bootloader
UEFI 時代
UEFI UEFI Image
UEFI 的 Secure Boot 為
Windows 8 認証的必要
條件
所以說什麼是 Secure Boot ?
鎖
UEFI UEFI Image
Secure Boot
UEFI
Secure Boot
Verified
UEFI Image
?
Bootloader
UEFI
OS
db
db
PK
KEK
db
這些 key 是哪裡來的?
硬體出廠前預先載入的
UEFI
PK
KEK
db
UEFI CA
銅鑼灣只有一個浩南
UEFI 只有一個 CA
Microsoft UEFI CA
UEFI CA Signing Policy
● 入會費 $99
● 送審者需有 EV Certificate (2014/3 起 )
● 只接受產品等級的程式
● 不接受 GPLv3 授權的程式,如 Grub2
http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx
http://farm3.staticflickr.com/2559/4199675334_66c3e3d61d.jpg
Linux 使用者 / 發行商有
什麼選擇?
方案一
不爽不要用
可是客戶要求 ...
方案二
隔開 UEFI 與 Grub2
shim (Matthew Garret)
PreLoader (James Bottomley)
shim
db
OS Vendor
load
db
AT Var
UEFI load Grub2
Vendor
Kernel
Vendor
AT: Authenticated
但是 ...
使用者還是不能隨意修改
方案二 改
自己的程式自己簽
UEFI Variables
● Authenticated Variable
● Runtime Service Variable
● Boot Service Variable
UEFI Variables
Boot Service Runtime Service Authenticated
UEFI - Read Yes Yes Yes
UEFI - Write Yes Yes Restricted
OS - Read No Yes Yes
OS - Write No Yes Restricted
* 此處指 Non-volatile Variables
Machine Owner Key
shim
db
OS Vendor
MOKList
BS Var
load
db
AT Var
UEFI load Grub2
MOK
Kernel
MOK
AT: Authenticated
BS: Boot Service
Grub2
Vendor
Kernel
MOK
Kernel
Vendor
Grub2
MOK
load load
load
load
load
shim
db
OS Vendor
MOKList
BS Var
mokutil --import
MOKNew
RT Var
Password
shim MokManager
MOKList
BS Var
load
3. verify
4.enroll
reboot
1. request
2.detect
Linux UEFI
RT: Runtime
簽章工具 -- pesign
● 針對 PE-COFF 的簽章工具
● 使用 Mozilla NSS 管理憑證
● 支援多重簽章
pesign 用法
● 初始化資料庫
– $ certutil -N -d certdb
● 載入公私鑰
– $ pk12util -d certdb -i mykey.p12
● 簽章
– $ pesign -n certdb -c mykey -s -i
myloader.efi -o myloader-signed.efi
For more details: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
使用 shim+MOK 的
distro
● SUSE Enterprise Linux / openSUSE
● Red Hat Enterprise Linux / Fedora
● Ubuntu
● Alt Linux
● more
Secure Boot 不再是
Linux 的問題
我有 Secure Boot 我超強!
Hack In The Box 2014
Setup for Failure: More Ways to
Defeat SecureBoot
http://haxpo.nl/hitb2014ams-kallenberg-cornwell-kovah-butterworth/
Not So Secure
● 某 A 廠沒保護好關鍵的 UEFI
variable
● 某些廠商沒設定好 SPI Flash 的保
護機制
沒有絕對安全的系統
請時常注意安全更新
http://farm3.staticflickr.com/2698/4304968451_677b6a2cb5.jpg
photo credit: Marco Bellucci via photopin
photo credit: J. Star
https://www.flickr.com/photos/jstar/409405305/
References
● UEFI Forum
http://www.uefi.org/
● Wikipedia: UEFI
http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
● Microsoft UEFI CA Signing Policy
http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx
● Will your computer's "Secure Boot" turn out to be "Restricted Boot"?
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot
● shim
https://github.com/mjg59/shim
● preloader
http://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git
● Machine Owner Key
https://www.suse.com/communities/conversations/uefi-secure-boot-details/
● mokutil
https://github.com/lcp/mokutil
● pesign
https://github.com/vathpela/pesign
● Alt Linux UEFI Secure Boot mini-HOWTO
http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
Backup
UEFI 的好處
● BSD 開放原碼授權的參考實作 (edk2)
● 以 C 為開發語言
● 多硬體架構支援,如 x86-64, IA-32,
IA-64, ARM, AArch64
● 模組化設計

More Related Content

What's hot

Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
Scripting para Mikrotik - Presentación Nunsys en MUM
Scripting para Mikrotik - Presentación Nunsys en MUMScripting para Mikrotik - Presentación Nunsys en MUM
Scripting para Mikrotik - Presentación Nunsys en MUMNunsys S.L.
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesReal-Time Innovations (RTI)
 
linux device driver
linux device driverlinux device driver
linux device driverRahul Batra
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisBuland Singh
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
Slideshare - linux crypto
Slideshare - linux cryptoSlideshare - linux crypto
Slideshare - linux cryptoJin Wu
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequenceHoucheng Lin
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
Performance Profiling in Rust
Performance Profiling in RustPerformance Profiling in Rust
Performance Profiling in RustInfluxData
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal BootloaderSatpal Parmar
 
/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinityTakuya ASADA
 
LCA14: LCA14-418: Testing a secure framework
LCA14: LCA14-418: Testing a secure frameworkLCA14: LCA14-418: Testing a secure framework
LCA14: LCA14-418: Testing a secure frameworkLinaro
 

What's hot (20)

Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
 
Advanced C - Part 1
Advanced C - Part 1 Advanced C - Part 1
Advanced C - Part 1
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
Scripting para Mikrotik - Presentación Nunsys en MUM
Scripting para Mikrotik - Presentación Nunsys en MUMScripting para Mikrotik - Presentación Nunsys en MUM
Scripting para Mikrotik - Presentación Nunsys en MUM
 
Bootloaders
BootloadersBootloaders
Bootloaders
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
 
linux device driver
linux device driverlinux device driver
linux device driver
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
Slideshare - linux crypto
Slideshare - linux cryptoSlideshare - linux crypto
Slideshare - linux crypto
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequence
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
Performance Profiling in Rust
Performance Profiling in RustPerformance Profiling in Rust
Performance Profiling in Rust
 
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformLinux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platform
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal Bootloader
 
/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity
 
Audio Drivers
Audio DriversAudio Drivers
Audio Drivers
 
LCA14: LCA14-418: Testing a secure framework
LCA14: LCA14-418: Testing a secure frameworkLCA14: LCA14-418: Testing a secure framework
LCA14: LCA14-418: Testing a secure framework
 

Similar to Secureboot Survival Guide

2, installation
2, installation2, installation
2, installationted-xu
 
Configuration tutorial for pytorch environment under windows.pdf
Configuration tutorial for pytorch environment under windows.pdfConfiguration tutorial for pytorch environment under windows.pdf
Configuration tutorial for pytorch environment under windows.pdfshuaihaohan135
 
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...裝機安 Angelo
 
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理Jason Zheng
 
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理haiyuan ning
 
GNU Build System
GNU Build SystemGNU Build System
GNU Build Systemimacat .
 
讓 Asp.net 在 raspberry pi 上飛
讓 Asp.net 在 raspberry pi 上飛讓 Asp.net 在 raspberry pi 上飛
讓 Asp.net 在 raspberry pi 上飛dplayerd
 
Con t532-基于 windows 7 的硬件设备安装体验-richie fang
Con t532-基于 windows 7 的硬件设备安装体验-richie fangCon t532-基于 windows 7 的硬件设备安装体验-richie fang
Con t532-基于 windows 7 的硬件设备安装体验-richie fangsirensings
 
Raspberry pi 基本操作
Raspberry pi 基本操作Raspberry pi 基本操作
Raspberry pi 基本操作艾鍗科技
 
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...Laird Cheng
 
[精彩回顾]Linux新手教程
[精彩回顾]Linux新手教程[精彩回顾]Linux新手教程
[精彩回顾]Linux新手教程NJU OPEN
 
Nagios的安装部署和与cacti的整合(linuxtone)
Nagios的安装部署和与cacti的整合(linuxtone)Nagios的安装部署和与cacti的整合(linuxtone)
Nagios的安装部署和与cacti的整合(linuxtone)Yiwei Ma
 
用 Drone 打造 輕量級容器持續交付平台
用 Drone 打造輕量級容器持續交付平台用 Drone 打造輕量級容器持續交付平台
用 Drone 打造 輕量級容器持續交付平台Bo-Yi Wu
 
Docker tutorial
Docker tutorialDocker tutorial
Docker tutorialazole Lai
 
GNU Autoconf / Automake #1
GNU Autoconf / Automake #1GNU Autoconf / Automake #1
GNU Autoconf / Automake #1imacat .
 
烏托邦教學 簡易硬體維修
烏托邦教學 簡易硬體維修烏托邦教學 簡易硬體維修
烏托邦教學 簡易硬體維修TanYuDe
 
尚观Linux研究室 linux驱动程序全解析
尚观Linux研究室   linux驱动程序全解析尚观Linux研究室   linux驱动程序全解析
尚观Linux研究室 linux驱动程序全解析hangejnu
 
運用 Docker 整合 Laravel 提升團隊開發效率
運用 Docker 整合 Laravel 提升團隊開發效率運用 Docker 整合 Laravel 提升團隊開發效率
運用 Docker 整合 Laravel 提升團隊開發效率Bo-Yi Wu
 
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會Jason Cheng
 

Similar to Secureboot Survival Guide (20)

2, installation
2, installation2, installation
2, installation
 
Configuration tutorial for pytorch environment under windows.pdf
Configuration tutorial for pytorch environment under windows.pdfConfiguration tutorial for pytorch environment under windows.pdf
Configuration tutorial for pytorch environment under windows.pdf
 
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
 
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理
 
使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理使用Rpm&yum进行基础软件管理
使用Rpm&yum进行基础软件管理
 
GNU Build System
GNU Build SystemGNU Build System
GNU Build System
 
讓 Asp.net 在 raspberry pi 上飛
讓 Asp.net 在 raspberry pi 上飛讓 Asp.net 在 raspberry pi 上飛
讓 Asp.net 在 raspberry pi 上飛
 
Con t532-基于 windows 7 的硬件设备安装体验-richie fang
Con t532-基于 windows 7 的硬件设备安装体验-richie fangCon t532-基于 windows 7 的硬件设备安装体验-richie fang
Con t532-基于 windows 7 的硬件设备安装体验-richie fang
 
玩转Windows
玩转Windows玩转Windows
玩转Windows
 
Raspberry pi 基本操作
Raspberry pi 基本操作Raspberry pi 基本操作
Raspberry pi 基本操作
 
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
使用 Load Balancer 與 Redis 部署 LAMP Server 高併發架構 - Global Azure Taiwan 20200425 ...
 
[精彩回顾]Linux新手教程
[精彩回顾]Linux新手教程[精彩回顾]Linux新手教程
[精彩回顾]Linux新手教程
 
Nagios的安装部署和与cacti的整合(linuxtone)
Nagios的安装部署和与cacti的整合(linuxtone)Nagios的安装部署和与cacti的整合(linuxtone)
Nagios的安装部署和与cacti的整合(linuxtone)
 
用 Drone 打造 輕量級容器持續交付平台
用 Drone 打造輕量級容器持續交付平台用 Drone 打造輕量級容器持續交付平台
用 Drone 打造 輕量級容器持續交付平台
 
Docker tutorial
Docker tutorialDocker tutorial
Docker tutorial
 
GNU Autoconf / Automake #1
GNU Autoconf / Automake #1GNU Autoconf / Automake #1
GNU Autoconf / Automake #1
 
烏托邦教學 簡易硬體維修
烏托邦教學 簡易硬體維修烏托邦教學 簡易硬體維修
烏托邦教學 簡易硬體維修
 
尚观Linux研究室 linux驱动程序全解析
尚观Linux研究室   linux驱动程序全解析尚观Linux研究室   linux驱动程序全解析
尚观Linux研究室 linux驱动程序全解析
 
運用 Docker 整合 Laravel 提升團隊開發效率
運用 Docker 整合 Laravel 提升團隊開發效率運用 Docker 整合 Laravel 提升團隊開發效率
運用 Docker 整合 Laravel 提升團隊開發效率
 
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
Proxmox VE 功能概觀、案例分享與實用工具 [2019/12/07] @Proxmox VE 中文使用者社團 2019 年會
 

Secureboot Survival Guide