On 12/17/20 10:04 AM, Marius Schwarz wrote:
Am 17.12.20 um 14:35 schrieb Stephen John Smoogen:
Right, but it's not automatic, and requires an existing known-good
system, which is the actual 'root of trust' here. This cannot be
assumed about a flash drive, which is why the automatic image check
is hard.
Speaking from Security pov, it's not hard, it's impossible. The
attacker can sign everything with it's own cert and putting that into
the image itself. Way easier is it to remove the check for a valid sig
and always return "true" is asked for a match, as any root kit will do.
In a secure boot environment, the root of trust is the motherboard
firmware, which has the keys of the next boot step. In Fedora land, this
next step is the shim, which was signed by Microsoft because their key
is on practically all existing hardware. As I said, the shim would have
to be smart enough to securely (TLS) retrieve the signature, and check
the boot image.
https://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/index.html#sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Keys
In this scenario, the attacker cannot fake the key, because both UEFI
and the shim will stop the boot if their measurements fail to check out,
I don't know if the UEFI/shim combo can be enhanced to do those things,
though...
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
