Secure Boot Ecosystem Challenges

Portland Linux User Group October 4, 2012

Secure Boot Ecosystem Challenges Vincent Zimmer

Usual disclaimerThese foils and opinions are mine and not necessarily those of my employer

Really?

http://www.fsf.org/news/fsfannounces-winner-of-restricted-bootwebcomic-contest INTEL CONFIDENTIAL

2012 Intel Firmware Summit

Who am I? I’m ‘not’ Mark Doran

INTEL CONFIDENTIAL

Original person tapped for this talk Lead Intel UEFI architect Pres of UEFI Forum USWG chair PIWG chair Mark stuck in jury duty this week, so….. 2012 Intel Firmware Summit

Who am I? Vincent Zimmer Principal Engineer at Intel Industry since 1992 Intel since 1997 Chair of UEFI network subteam Chair of UEFI PI security subteam More – sites.google.com/site/vincentzimmer/

INTEL CONFIDENTIAL


What is UEFI? UEFI Platform Initialization Overview

UEFI PI Scope - Green “H”

OS (UEFI or Today’s)

Pre-boot Tools

UEFI Specification

Platform Drivers

Silicon Component Modules Hardware PEI/DXE PI Foundation Modular components

INTEL CONFIDENTIAL

Human User GUI Application Libraries Drivers Network OS Firmware Hardware

Full system stack (user -> hardware)

UEFI 2.3.1 specifies how firmware boots OS loader UEFI’s Platform Initialization (PI) 1.2 Architecture specifies how Driver Execution Environment (DXE) Drivers and Pre-EFI Initialization (PEI) Modules (PEIMs) initialize SI and the platform DXE is preferred UEFI Implementation PEIMs, UEFI and DXE drivers implements networking, Update, other security features 2012 Intel Firmware Summit

UEFI / PI is a type of BIOS BIOS– aka. the Rodney Dangerfield of Software

http://www.noethics .net/News/index.php ?option=com_conte nt&view=article&id= 1923:todaysrodney-dangerfieldaward-winner-isnewtgingrich&catid=121: rodney-dangerfieldawardINTEL CONFIDENTIAL winners&Itemid=96

“No respect”


How to build it? UDK2010 Industry Standards Compliance

• UEFI 2.0, UEFI 2.1, UEFI 2.2, UEFI 2.3; PI 1.0, PI 1.1, PI 1.2

Extensible Foundation for Advanced Capabilities

Support for UEFI Packages

• Import/export modules source/binaries to many build systems

Maximize Re-use of Source Code** • • • •

Platform Configuration Database (PCD) provides “knobs” for binaries ECP provides for reuse of EDK1117 (EDK I) modules Improved modularity, library classes and instances Optimize for size or speed

Multiple Development Environments and Tool Chains** • Windows, Linux, OSX • VS2003, VS2005, WinDDK, Intel, GCC

Fast and Flexible Build Infrastructure** • 4X+ Build Performance Improvement (vs EDKI) • Targeted Module Build Flexibility

Maximize the open source at www.tianocore.org 7

7

INTEL CONFIDENTIAL


Intel® UEFI Development Kit 2010 (Intel® UDK2010)

** benefit of EDK II codebase

• Pre-OS Security • Rich Networking • Manageability

http://uefi.org UEFI 2.0

UEFI 2.1

UEFI 2.2

PI 1.0

UEFI 2.3

PI 1.1

2006

2007

2008

SCT UEFI 2.0 EDK 1.01: UEFI 2.0

Packaging 1.0

2009

2010

SCT UEFI 2.1 EDK 1.06: UEFI 2.1+

PI 1.0

PI 1.0

PI 1.0

EDK II*: UEFI 2.1+

UDK2010: UEFI 2.3

PI 1.0

PI 1.2

http://tianocore.org SourceForge.net All products, dates, and programs are based on current expectations and subject to change without notice.

INTEL CONFIDENTIAL


2011

SCT UEFI 2.3

EDK 1.04: UEFI 2.1

SCT

UEFI 2.3.1

PI 1.2 Shell 2.0

Implementation

Specifications

Specification & Tianocore.org Timeline

UDK2010. SRx UEFI 2.3.1+ PI 1.2+

Overview of the UEFI Boot Process OPERATING SYSTEM

UEFI API

UEFI OS LOADER UEFI BOOT SERVICES Timer

Memory

Boot Devices

UEFI/PI Driver Drivers Driver

Protocols + Handlers

UEFI RUNTIME SERVICES

PLATFORM SPECIFIC FIRMWARE PLATFORM HARDWARE System ROM (SPI) UEFI Drivers

INTEL CONFIDENTIAL

Option Option Option ROM

ROM ROM

UEFI Drivers

UEFI SYSTEM PARTITION UEFI OS Loader


OS PARTITION

Typical OS Loader Scenario for UEFI One GPT disk partition is FAT32 (service partition)

OS installer puts the loader on the service partition • Under /EFI/BOOT or /EFI/osname directory • Ex: /efi/boot/bootx64.efi, /efi/ubuntu/grubx64.efi

NVRAM (Bootxxxx) has a device path to OS loader • Maps to specific device, GUID partition & filename

GPT DISK

FAT32 partition /EFI/BOOT/OS-loader.efi Xyz partition (OS) Reserved partition

INTEL CONFIDENTIAL


OS Loader as a UEFI executable

Advantages of UEFI Boot Process

Extensible across multiple boot devices • SATA, SAS, USB, PXE/iSCSI (IPv4/IPv6), …

Supports multi-boot operations • Multi-boot loaders w/o MBR chain-loading • UEFI Forum reserves directories to avoid collisions • Use /efi/boot directory for removable media

Device path stored in boot options (NVRAM) • Pointer to specific boot device

Boot image can be validated when loaded • Allows firmware loader to perform security checks 2012 Intel Firmware Summit INTEL CONFIDENTIAL

What problem are we solving? UEFI

Startup

for PM_AUTH

UEFI Shell

Device, Bus, or Service Driver

CPU Init Chipset Init Board Init

Transient OS Boot Loader

Pre EFI Initialization (PEI)

OS-Present App

Boot Manager

EFI Driver Dispatcher

Architectural Protocols

Power on

OS-Absent App

Interfaces && Boudary

PEI Core

Security (SEC)

(more importantly, what problems we are not solving w/ this technology)

Driver Execution Environment (DXE)

[ . . Platform initialization . . ]

Boot Dev Select (BDS)

Final OS Boot Loader

Final OS Environment

Transient System Load

Run Time

(TSL) [ . . . . OS boot . . . . ]

OEM/PM Extensible INTEL CONFIDENTIAL


3rd party extensible

(RT) Shutdown

Why

Pressure on BIOS Industry requirements (ex. UEFI 2.3.1+ Ch 27, TCG) Government requirements (ex: US NIST SP800-147)

BIOS

Product dvlp requirements (ex. SDL) Customers requiring security (ex. US DoD, Corporate IT) 13

INTEL CONFIDENTIAL


Malware (ex. Chernobyl, 2000 Bootkits, 2011 etc) Researchers (ex. Invisible Things Lab BMP attacks 2004)

Where are we (BIOS / UEFI firmware)? VM App

VM

App

App

OS

App

OS

BIOS & OS/VMM share access, but not trust UEFI + PI SMM

Privilege

VMM / Hypervisor SMM / BIOS

Hypervisor can grant VM direct hardware access

CPU Peripherals

Memory

Firmware Hardware

Platform

DMA

INTEL CONFIDENTIAL


A specific Peripheral may have its own processor, and its own firmware, which is undetectable by host CPU/OS.

INTEL CONFIDENTIAL


Why

Why use UEFI Secure Boot Without

Possible corrupted or destroyed data • BootKit virus – MBR Rootkits • Network boot attacks e.g. PXESPOILT

With

Data integrity

• Trusted boot to OS • Trusted drivers • Trusted Applications

• Code Injection Attacks

Data

16

*

INTEL CONFIDENTIAL

Dat a 2012 Intel Firmware Summit

What

What is Security from BIOS Perspective Secure Boot - UEFI • Defined a policy for Image loading • Cryptographically signed – Private key at signing server – Public key in platform

Measured Boot -Trusted Computing Group (TCG) • Trusted Platform Module (TPM) – Isolated storage and execution for Logging changes, attestation

NIST 800-147 -Security Guidelines for System BIOS Implementations 17

INTEL CONFIDENTIAL


What

UEFI Secure Boot UEFI authenticate OS loader (pub key and policy)

VS

Drivers

• UEFI Secure boot will stop platform boot if signature not valid (OEM to provide remediation capability)

record in PCR

UEFI OS Ldr, Drivers Kernel

TPM

Apps

• UEFI will require remediation mechanisms if boot fails

INTEL CONFIDENTIAL

UEFI PI will measure OS loader & UEFI drivers into iTPM PCR (Platform Configuration Register)

UEFI Firmware

Check signature of before loading

18

TCG Trusted Boot


• TCG Trusted boot will never fail • Incumbent upon other SW to make security decision using attestation

What

NIST Implementation Requirements Make sure UEFI PI code is protected The NIST BIOS Protection Guidelines break down to three basic requirements… 1. The BIOS must be protected 2. BIOS updates must be signed 3. BIOS protection cannot be bypassed

INTEL CONFIDENTIAL 19


What

UEFI Secure Boot Goals Local verification. Complements measured boot Allow the platform owner to check the integrity and security of a given UEFI image ensuring that the image is only loaded in an approved manner. Allow the platform owner to manage the platform’s security policy as defined by the UEFI Secure Boot authenticated variables

20

INTEL CONFIDENTIAL


UEFI Image (driver & application/OS loader) Signing Why? – Origin & Integrity How? – Authenticode PE/COFF

PKCS#7 + Authenticode Ext

PE Image ContentInfo PE Header

PE file hash

Certificate Directory Section 1

Certificate

……

X.509 Certificate

Type

SignInfo

Section N

Attribute Certificate Table

INTEL CONFIDENTIAL


Signed hash of ContentInfo

UEFI Authenticated Variable Why? – Integrity (no confidentiality) How? – Time Based Authenticated Variable

Input Variable Data Authentication Time Stamp

ContentInfo PKCS#7 N/A

Certificate X.509 Certificate

Type Certificate

Data Content

INTEL CONFIDENTIAL


SignInfo Signed hash of VariableName + VariableGuid+ Attributes + TimeStamp + DataContent

Authenticated Variables

Secure Boot’s Authenticated Variables

Key/ DB Name

Variable

Details

PkPub Key Exchange Key Authorized Signature DB Forbidden Signature DB Setup Mode

PK KEK DB

OEM and Platform FW- format is RSA-2048 Platform FW and OS - format is RSA-2048 Authorized Signing certificates - white list

DBX

Unuthorized Signing certificates - Black list

Secure Boot

SecureBoot

23

INTEL CONFIDENTIAL

SetupMode NULL - Secure Boot not supported 0 - PK is enrolled - in user mode User mode requires authentication 1 – Platform is in Setup mode – no PK enrolled 1-Platform in Secure boot mode


UEFI Secure Boot Flow

Authorization Flow

PEI FV

1. Enroll Authenticated Variable PK KEK

2C. Signed Image Load And measure Into TPM

db

Certificate

dbx

Certificate

Variable 2B. Signature Verification

24

INTEL CONFIDENTIAL

DXE FV Image Verify


OpRom.efi Certificate + SignInfo

2A. Signed Image Discover

OsLoader.efi Certificate + SignInfo

Relevant open source software packages/routines for Authorization flow MdeModulePkg LoadImage Boot Service gBS->LoadImage CoreLoadImage()

MdePkg BasePeCoffLib PeCoffLoaderGetImageInfo()

EFI_SECURITY_ARCH_PROTOCOL SecurityStubDxe SecurityStubAuthenticateState() DxeSecurityManagementLib RegisterSecurityHandler() ExecuteSecurityHandlers() SecurityPkg DxeImageVerificationLib DxeImageVerificationHandler() HashPeImage() HashPeImageByType() VerifyWinCertificateForPkcsSignedData() DxeImageVerificationLibImageRead() IsSignatureFoundInDatabase() IsPkcsSignedDataVerifiedBySignatureList() VerifyCertPkcsSignedData()

Authenticated Variables gRT->GetVariable

25

CryptoPkg BaseCryptLib Sha256Init() Sha256Update() Sha256Final() Sha256GetContextSize() AuthenticodeVerify() Pkcs7Verify() WrapPkcs7Data() OpenSslLib Openssl-0.9.8w IntrinsicLib

See Rosenbaum, Zimmer, "A Tour Beyond BIOS into UEFI Secure Boot,“ for more details INTEL CONFIDENTIAL


Put them altogether: UEFI Secure Boot

Custom Mode Edit keys on x86 26

INTEL CONFIDENTIAL


Enable Secure Boot

End user controls -Custom Secure Boot Options

Enrolling DB and/or DBX for physically present user

27

INTEL CONFIDENTIAL


Disable Secure Boot

1. Select Custom Secure Boot Options 2. Select PK Options 3. Delete Pk (space bar)

4. Reset

2 3

1

4

28

INTEL CONFIDENTIAL


Technologies – putting it together Reset

Assets

TCG Measurements into PCRs 0..7

BIOS Flash System BIOS

NIST SP800-147. Recovery. DXE SMM, UEFI Core

Option ROMs BIOS device drivers

Network Boot

IPv6 for the cloud

Threats ROM Swap Bit rot Erase flash part Overwrite flash part

To BIOS, Hv/VMM is an OS

Different colors for different vendors INTEL CONFIDENTIAL


SP800 -147

Erase op ROM Overwrite op ROM UEFI

2.3.1

Network attacks

OS Boot loader BIOS loads the OS

H/W Spec

Spoof boot loader

Linux solutions – from Sept Intel Dev Forum

30

INTEL CONFIDENTIAL


Ubuntu – Jeremy Kerr

Ubuntu* Implementation

*

Microsoft* UEFI CA certificate Signature generated from Microsoft UEFI CA Ubuntu* CA certificate 31

Signature generated from Ubuntu CA INTEL CONFIDENTIAL

12


*

Fedora – Matthew Garrett

Fedora* Implementation

Microsoft* UEFI CA certificate Signature generated from Microsoft UEFI CA Fedora* CA certificate 32

Signature generated from Fedora CA INTEL CONFIDENTIAL

21


Fedora - cont.

Fedora* Implementation Bootloader shim allows compatibility with Microsoft* UEFI CA

All kernel-level code is signed

Bootloader images will be signed during build. Will only boot signed kernels. 33

INTEL CONFIDENTIAL

22


SuSE

SUSE* Approach to UEFI Secure Boot •

34

We need to balance two goals Improving Enterprise security by adopting Secure Boot

‒

Reconcile Secure Boot with Linux developer community need to run own boot loader/kernel

•

Aiming to support Secure Boot in SLE11 SP3* and openSUSE *

•

Working with Linux* community and other vendors

INTEL CONFIDENTIAL

27

‒

‒

Building on the shim loader created by Matthew Garrett

‒

Extending it to allow machine owner to securely boot other kernels


Challenges – – – – –

Multi-OS support, GPL3 & Open source Firmware size – open source & crypto libs Speed impacts Consistency w/ other ‘security’ technologies in platform Robustness – Coding practice – Protected updates – Recovery

– Validation – Negative testing – Fuzzing

– Interoperability of different implementations

INTEL CONFIDENTIAL


INTEL CONFIDENTIAL


Summary • Threats of UEFI extensibility are real • Address w/ open standards and open source • Secure boot is coming w/ next OS wave (and like longevity of any shrinkwrap OS release, will continue for 10 yrs) • Challenges in ecosystem enabling

INTEL CONFIDENTIAL


For more information - UEFI Secure Boot Intel Technology Journal, Volume 15, Issue 1, 2011, UEFI Today: Bootstrapping the Continuum, UEFI Networking and Pre-OS Security, page 80 at

http://www.intel.com/technology/itj/2011/v15i1/pdfs/Intel-Technology-Journal-Volume15-Issue-1-2011.pdf

Rosenbaum, Zimmer, "A Tour Beyond BIOS into UEFI Secure Boot," Intel Corporation, July 2012

http://sourceforge.net/projects/edk2/files/General%20Documentation/A_Tour_Beyond_B IOS_into_UEFI_Secure_Boot_White_Paper.pdf/download

UEFI 2.3.1 specification: Sections 7.2 (Variable Services) and Sections 27.2 through 27.8 (Secure Boot) of the at www.uefi.org Beyond BIOS: Developing with the Unified Extensible Firmware Interface, 2nd Edition, Zimmer, et al, ISBN 13 9781-934053-29-4, Chapter 10 – Platform Security and Trust, http://www.intel.com/intelpress

“Hardening the Attack Surfaces,” MSFT 2012 UEFI Plugfest

http://www.uefi.org/learning_center/UEFI_Plugfest_2012Q1_Microsoft_AttackSurface.pdf

“Building hardware-based security with a TPM” MSFT BUILD http://channel9.msdn.com/Events/BUILD/BUILD2011/HW-462T Matthew Garrett’s various blogs http://mjg59.livejournal.com/ INTEL CONFIDENTIAL


UEFI Industry Resources UEFI Forum

www.uefi.org

Intel EBC Compiler

http://software.intel.com/en-us/articles/intel-ccompiler-for-efi-byte-code-purchase/

INTEL CONFIDENTIAL

UEFI Open Source

www.tianocore.org

Intel UEFI Resources

www.intel.com/UDK

UEFI Books/ Collateral

www.intel.com/intelpress http://www.intel.com/technology/itj/2011/v15i1/index.htm


PLUG

Thank You Contact: [email protected]

40

INTEL CONFIDENTIAL


Backup

INTEL CONFIDENTIAL


History of attacks – 2007 – Blackhat Las Vegas

INTEL CONFIDENTIAL


Defcon 19 – Bootkits and network boot attacks

INTEL CONFIDENTIAL


SYSCAN Singapore – April 2012

INTEL CONFIDENTIAL


Firmware/OS Key Why? – How can firmware know if certificate is valid? UEFI Signature List Type

How? – Firmware/OS Key (Signature Database) Certificate X.509 Certificate

UEFI Signature Data Owner Signature

UEFI Signature Data UEFI Signature List Type UEFI Signature Data

INTEL CONFIDENTIAL


UEFI Secure Boot Database Review Update Enable

PK KEK Update Enable

Update Enable

db If Signed by key in db, driver or loader can Run!

INTEL CONFIDENTIAL

dbx If Signed by key in dbx, driver/loader forbidden!


Who “Owns” The System Security Keys?

PK – Key pair is created by Platform Manufacturer Typically one PK pair used for a model or model Line

KEK – Key supplied by OS Partner,

Optional: Include 2nd key created by OEM db – OS vendor supplies Key, CA supplies Key, Optional: OEM App Signing Key dbx – list of revoked keys – Signing authority issues revoked keys Signature Tests using db Keys Block Rogue S/W! INTEL CONFIDENTIAL


Authorization Flow

No

Image Signed ? No No

Yes

Deny Image 48

Authorization Flow

Image Format OK? Yes

Signatu re in DB?

Yes

Cert in DBX? No Cert. Authorized? No

Yes Signatu re in DBX? No

Yes

Yes

Run Image

See Rosenbaum, Zimmer, "A Tour Beyond BIOS into UEFI Secure Boot,“ for more details INTEL CONFIDENTIAL
