| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Aug 2022 12:52:58 +0930
From: Brendan Trotter <btrotter@...il.com>
To: Matthew Garrett <mjg59@...f.ucam.org>
Cc: The development of GNU GRUB <grub-devel@....org>,
Ard Biesheuvel <ardb@...nel.org>,
Daniel Kiper <daniel.kiper@...cle.com>,
Alec Brown <alec.r.brown@...cle.com>,
Kanth Ghatraju <kanth.ghatraju@...cle.com>,
Ross Philipson <ross.philipson@...cle.com>,
"piotr.krol@...eb.com" <piotr.krol@...eb.com>,
"krystian.hebel@...eb.com" <krystian.hebel@...eb.com>,
"persaur@...il.com" <persaur@...il.com>,
"Yoder, Stuart" <stuart.yoder@....com>,
Andrew Cooper <andrew.cooper3@...rix.com>,
"michal.zygowski@...eb.com" <michal.zygowski@...eb.com>,
James Bottomley <James.Bottomley@...senpartnership.com>,
"lukasz@...rylko.pl" <lukasz@...rylko.pl>,
linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
James Morris <jmorris@...ei.org>
Subject: Re: Linux DRTM on UEFI platforms
Hi,
On Fri, Aug 12, 2022 at 3:55 AM Matthew Garrett <mjg59@...f.ucam.org> wrote:
> On Thu, Aug 11, 2022 at 07:25:58PM +0930, Brendan Trotter wrote:
> > On Thu, Aug 11, 2022 at 3:16 AM Matthew Garrett <mjg59@...f.ucam.org> wrote:
> > > The kernel has no way to know this - *any* code you've run before
> > > performing a measurement could tamper with the kernel such that it
> > > believes it's fine. This is just as true in DRTM as it is in SRTM. But
> > > you know what the expected measurements should be, so you're able to
> > > either seal secrets to those PCR values or rely on remote attestation.
> >
> > In this scenario the kernel has no idea what the measurement should
> > be, it only knows the measurement that a potentially malicious boot
> > loader felt like giving the kernel previously (e.g. when the kernel
> > was installed).
>
> Even if the kernel has an idea of what the measurement should be, it has
> no way to verify that what it believes to be true is true - any
> malicious code could simply have modified the kernel to believe that
> anything it asks the TPM returns the "correct" answer.
Right. To achieve the best possible security; you'd need Secure Boot
to ensure that the kernel itself wasn't modified, and then the kernel
establishes a dynamic root of trust itself.
Anything involving a boot loader (e.g. Secure Boot ensure's boot
loader wasn't modified, then boot loader ensure's kernel wasn't
modified, then ....) increases the attack surface for no benefit.
> > > Measurements are not opaque objects. If you're not able to reconstruct
> > > the expected measurement then you're doing it wrong.
> >
> > OK; so to detect if boot loader has always given kernel a bad/forged
> > measurement; the kernel repeats all of the steps involved in creating
> > the measurement itself exactly the same as the boot loader should have
> > (but might not have) so that kernel can compare a "known
> > good/trustworthy" measurement with the useless measurement that the
> > boot loader created for no sane reason whatsoever?
>
> No, some external agent does. Code running on the local machine can
> never determine whether the machine is trustworthy.
This part of the conversation evolved from "there's no way for kernel
to detect a MiTM boot loader (that provides a bad/forged
measurement)".
I'm not convinced an external agent can detect "bad/forged
measurement" either. E.g. if a MiTM boot loader always provided a
bad/forged measurement the external agent won't detect it (as the
measurement always matches the expected measurement), and then if the
MiTM boot loader is replaced by a good/honest boot loader the external
agent will decide that the good/honest boot loader is malicious
because its measurement doesn't match the expected bad/forged
measurement.
- Brendan
Powered by blists - more mailing lists