UEFI Firmware Enhances Linux* Security and … Agenda • UEFI Considerations for Linux * • Secure...
Transcript of UEFI Firmware Enhances Linux* Security and … Agenda • UEFI Considerations for Linux * • Secure...
UEFI Firmware Enhances Linux* Security and Adds New Benefits
PTAS001
Qin Long, Software Architect, Intel Corp.
Jeff Bobzin, Vice President, Insyde Software Corp.
Ivan Hu, BIOS Engineer, Canonical Ltd.
2
Agenda
• UEFI Considerations for Linux*
• Secure Boot for the Enterprise System – From Insyde*
• Ubuntu* UEFI/Secure Boot Enablement and Tool
• Summary
The PDF for this Session presentation is available from our Technical Session Catalog at the end of the day at: intel.com/go/idfsessionsBJ
URL is on top of Session Agenda Pages in Pocket Guide
3
Agenda Item 1
UEFI Considerations for Linux*
• UEFI Secure Boot Overview • Secure Boot Challenges for Linux* • Brief Updates on Linux Distributions
4
UEFI Secure Boot Overview
• Current issues with boot – Growing class of malware targets the boot path – Often the only fix is to reinstall the operating systems
• UEFI Secure Boot harden the boot process – All firmware and software in the boot process must be
signed by a trusted Certificate Authority (CA)
– Gives users a way of protecting their systems from external intrusion
– Reduces the likelihood of rootkits, bootkits and other possible malwares
5
Secure Boot Challenges for Linux*
• Dual OS deployment challenge – Users can disable UEFI Secure Boot to install Linux*
but this isn’t the best deployment plan
– Users must have an option to install Linux alongside an OS, even when UEFI Secure Boot is enabled
• Linux can benefit from UEFI Secure Boot, if… – Customers can install Linux without disabling the feature – Platform owner can set security policy and customize system
• Distributions have other considerations for UEFI – How the kernel handles signed and unsigned code – Migrating drivers from legacy BIOS calls (INTxx) to UEFI
Linux distributions must determine how to implement secure boot
6
Updates from Linux* Distributions • Ubuntu* 12.10 – 64-bit version of Ubuntu 12.10
shipped with Shim to support secure boot • Fedora* 18 – included Shim with MOK (Machine
Owned Key) functionality • Both Red Hat* and SUSE* will be supporting 3rd
party signing in their releases • OpenSuse* 12.3 release supports MOK manager
and multisigned Shim loader • Linux Foundation Secure Boot System Released • UEFI Technology Adopted by Linux Community†
Linux distro implementation with MOK 3rd party
manager signing list implemented already
† http://www.businesswire.com/news/home/20130319006268/en/UEFI-Technology-Adopted-Linux-Community
7
Agenda Item 1 UEFI, Secure Boot and the Enterprise System
Jeff Bobzin Vice President, Insyde Software Corporation
8
Agenda • Securing the boot process for Enterprise Systems • Why the Enterprise system needs Secure Boot • The Engineering of Secure Boot Feature • Secure System Firmware Update for Linux*
• Is my platform ready for Secure Boot Linux?
Agenda Item 1
9
Much Progress in 2012
UEFI Versions of Fedora* and Ubuntu* Launched “UEFI would provide a foundation for a chain of trust that would connect all the way up to the software layer, which could thwart attempts to install illicit, and harmful, software on [Linux*] computers.”
Joab Jackson, pcworld.com
Windows* 8 and Windows Server 2012 Launched “I would add that security improvements alone may justify the purchase for many enterprises. […] Like Windows 8, Windows Server 2012 has replaced the traditional ROM-BIOS with the new and improved industry boot standard known as UEFI using the security-hardened 2.3.1 version.”
Roger Grimes, infoworld.com
10
Ecosystem is Ready for Secure Boot
System Firmware OpRom Firmware
System Boards Add-in Cards
Recovery Software Operating Systems
11
Agenda • Securing the boot process for Enterprise Systems • Why the Enterprise system needs Secure Boot • The Engineering of Secure Boot Feature • Secure System Firmware Update for Linux*
• Is my platform ready for Secure Boot Linux?
12
Benefits of Secure Boot to Enterprise • UEFI Boot inherently has lots of value to Enterprise
– Support for large disk drives – Support for complex partition structures – Rich Network support including IPv6 – Better PXE provisioning and boot from iSCSI – Better Error Reporting and Management Tools
• But UEFI Boot needs Secure Boot to lock down access to the critical boot files
13
Project Planning is Critical
• Benefits of a hardened system boot are clear, but,
• Always remember, reliable Enterprise products with strong Security protection, starting in the firmware, and continuing throughout the Linux* boot process, require selecting partners that prioritize security
Partners can help you reach your security goals!
14
Agenda • Securing the boot process for Enterprise Systems • Why the Enterprise system needs Secure Boot • The Engineering of Secure Boot Feature • Secure System Firmware Update for Linux*
• Is my platform ready for Secure Boot Linux?
15
Quick Review – What is Secure Boot?
• UEFI Secure Boot is a technology to eliminate a major security hole during handoff from UEFI firmware to UEFI OS
• Option ROMs and OS bootloaders need to be Signed by private key corresponding to a Certificate in the systems Security Database
• Database is always provisioned at factory and maintained by OS if required for revocation
UEFI Firmware UEFI OS
16
Secure Boot – Step by Step
PK KEK db
dbx
Update Enable
Update Enable
If Signed by key in db, driver or loader can Run!
If Signed by key in dbx, driver/loader forbidden!
Update Enable
2. UEFI Secure Boot Database:
1. UEFI Driver Signing: PE Image
PE Header Certificate Directory
Section 1
Section N Type
Attribute Cert. Label
PKCS #7 + Authenticode Ext
ContentInfo
PE File Hash
Certificate
X.509 Cert.
Sign Info
Signed Hash of ContentInfo
17
Secure Boot – Step by Step 3. Platform does UEFI Driver Checking:
System
UEFI Driver Cert
Factory
Sig
Cert. Authority
UEFI Firmware
Firmware verifies signature and signer in database and if all match, drivers are approved to run.
18
Microsoft* hosts a CA for UEFI use • UEFI Option ROMs need to be signed by a widely
trusted Certificate Authority • Microsoft* has CA experience and volunteered to
host the first all-industry UEFI CA • Manufacturers are encouraged to put MS CA
certificate into “Allowed” database • Microsoft policies are non-discriminatory, for
example Microsoft CA signed the Linux* ‘Shim’ boot driver
• Could there emerge another trusted CA? - Possible, plenty of room in the database - Need to convince OEMs to include
19
Secure Boot, Linux* & Chain of Trust
Boot Shim
Linux* Boot
Loader
UEFI Firmware
Root of Trust
Cert
Microsoft* UEFI CA
Signed
20
Agenda • Securing the boot process for Enterprise Systems • Why the Enterprise system needs Secure Boot • The Engineering of Secure Boot Feature • Secure System Firmware Update for Linux*
• Is my platform ready for Secure Boot Linux?
21
Firmware is the Root of Trust • Effectiveness of Secure Boot depends upon
protection of the firmware code and data store from attack
• Todays Hardware Protection: – Elevates all flash changes to protected privileged code in
SMI – SMI-resident code tests signing of any changes to code
store or secure boot database
• Needs an Update Launcher appropriate to the OS being used
• Insyde provides OEM with Secure Update Launcher tools for Windows* and now Linux*
22
Prepared signed capsule file
Secure Firmware Update Today
Sign Tool Update Tool
Certificate Store (OEM Private) Key)
Prepared signed capsule file
Firmware Update IMG
System Manufacturer
OS-Specific Launcher
SMI Handler
Firmware Root of Trust
Locally in Machine
23
Preparing for Secure Firmware Update on Linux* Systems
OEM Steps 1. Build the signed capsule containing update (same as Windows*) 2. Build Linux* Flash* launcher appropriate to Target OS
Note: Insyde supplies driver source 3. For uncommon distro user will need to build driver
User Steps 1. Download package including launcher, extract launcher zip to set
permissions 2. Copy the signed binary “isFlash.bin” into the InsydeFlash folder 3. Update Launcher program needs the root privilege to run 4. Run Linux flash, and the application will check if the correct secure
BIOS image exists 5. Yes -> Perform SMI to launch as secure flash mode 6. Platform reboots to apply the update in firmware startup
24
Industry Working to Make Secure Update Easier and more Reliable • UEFI has entry point called UpdateCapsule that is
intended to deliver firmware updates. Look for progress from OS vendors in 2013 adding this important capability for increased reliability. – Built into Linux* so no need for user to compile driver!
• Also look for tools to update the firmware in UEFI-ready expansion cards
Prepared signed capsule file
OS-Specific Launcher
OS Capsule Driver
Firmware Root of Trust
Locally in Machine
25
Agenda • Securing the boot process for Enterprise Systems • Why the Enterprise system needs Secure Boot • The Engineering of Secure Boot Feature • Secure System Firmware Update for Linux*
• Is my platform ready for Secure Boot Linux?
26
DEMO #1 – Is my System Ready?
Download Checkup Tool at http://apps.insyde.com
1. Secure Boot Enabled 2. MS CA Cert Present
27
Enterprise Segment Goals for UEFI Forum in 2013 • Progress toward wide Enterprise adoption is a very
important goal! • Also launching UEFI-style Secure Firmware Update
for smoother user experience
• To achieve this, UEFI community promises: – Attention to all elements of the Ecosystem – systems,
expansion cards, and Enterprise OS – Education on the benefits – Responsive to the needs of the segment
28
Ubuntu* UEFI/Secure Boot Enablement and Tool
Ivan Hu BIOS Engineer, Canonical Ltd.
29
Agenda Item 1
Agenda • UEFI/Secure Boot Enablement • Firmware Test Suite / Firmware
Test Suite - Live • Demo
30
UEFI/Secure Boot Enablement UEFI/Secure boot • Ubuntu* 12.10 implements UEFI Secure Boot • Download: http://www.ubuntu.com/download/desktop
31
UEFI/Secure Boot Enablement BIOS/UEFI Requirement • Complies with version 2.3.1 of the UEFI standard
• UEFI boot/runtime services
• UEFI boot manager
– Variables Boot#### and BootOrder – Bios reset default
32
UEFI/Secure Boot Enablement UEFI/Secure boot • Ubuntu* secure boot process
cert
UEFI firmware
boot shim
sig cert
Grub2 bootloader
Ubuntu kernel
Microsoft* UEFI CA Certificate
Signature generated from MS UEFI CA
Ubuntu CA certificate
Signature generated from Ubuntu CA
cert
sig
cert
Signed with MS UEFI CA
Signed with Canonical UEFI CA
Signed with Canonical UEFI CA
sig sig
sig
Verify & execute
Verify & execute
Verify & execute
33
UEFI/Secure Boot Enablement UEFI/Secure boot • Ubuntu* secure boot process
cert
UEFI firmware
boot shim
sig cert
Grub2 bootloader
Unsigned kernel
Signed with MS UEFI CA
Signed with Canonical UEFI CA
sig
Verify & execute
Verify & execute execute
Microsoft* UEFI CA Certificate
Signature generated from MS UEFI CA
Ubuntu CA certificate
Signature generated from Ubuntu CA
cert
sig
cert
sig
34
UEFI/Secure Boot Enablement Ubuntu* Implementation for secure boot • Ubuntu 12.10 Implementation for Secure Boot
– Boot loader shim signed by Microsoft* UEFI CA – Ubuntu signed boot loader – Ubuntu signed kernel – Unsigned kernel support – Not enforcing module signing
• Ubuntu certification requirement – Initial key database configuration – User key reconfiguration functionality – Facility to enable/disable secure boot
• Support runtime key reconfiguration – Using efivars interface to update PK, KEK, db, dbx – Secure boot sign tool available “sbsingtool”
35
Firmware Test Suite (fwts) What is fwts? • fwts is a Linux* tool that
automates firmware checking. It aims to detect bugs and to get firmware fixed.
• Base on Intel’s Linux-ready Firmware Developer Kit which ceased on October 2007
Automatically detect errors
Sanity check core functionality Ensure interactions between Linux and firmware
Catch kernel warnings
Suggest possible workarounds Gather firmware data for debug
36
Firmware Test Suite (fwts) Key feature (1/2) • Command line
– Designed to be used by other test tools – Or to be run stand alone – And to gather data for a developer
• Batch tests – Run without supervision
• Interactive tests – Hot-key, lid, AC power.
• Extensive logging – Per test PASS/FAIL results – Explain reasons for failures (ADVICE lines) – Classify failures (CRITICAL, HIGH, LOW…)
• Summarize results – Output log format can be configured
37
Firmware Test Suite (fwts) Key feature (2/2) • Soak testing
– suspend/resume, hibernate/resume • Utilities
– ACPI, UEFI variable dump… • UEFI runtime service tests
– Variable, time, miscellaneous services • Secure boot tests
– Secure boot variables and certificate tests
38
Firmware Test Suite (fwts)
Fwts test for secure boot • UEFI secure boot variables check
– SetupMode, SecureBoot variables • Signature database (“db”) check for Microsoft* third-
party UEFI CA • KEK check for Ubuntu* master CA certificate
39
Firmware Test Suite Live (fwts-live)
What is fwts-live? • fwts-live is a bootable USB
image that will boot and run the firmware test suite without the need to install Linux*/Ubuntu*. Results of the tests are saved on the USB drive to be analyzed later.
No Installation necessary
Easy to use Release with latest Ubuntu
40
Firmware Test Suite Live (fwts-live)
41
Demo: Firmware Test Suite (fwts)
42
Information
Reporting fwts bugs? • Fwts
– https://bugs.launchpad.net/ubuntu/+source/fwts
Looking for more information • Ubuntu* ODM Portal - http://odm.ubuntu.com/ • Secure Boot Signing Tools - git://kernel.ubuntu.com/jk/sbsigntool • Fwts
– https://wiki.ubuntu.com/Kernel/Reference/fwts • Fwts-live
– https://wiki.ubuntu.com/HardwareEnablementTeam/Documentation/FirmwareTestSuiteLive
43
Ubuntu* Implementation for UEFI
• Ubuntu* 12.10 release is the first version of Ubuntu that supports secure boot
• Ubuntu secure boot maintains flexibility, while the firmware remains protected from untrusted code
• Certification required for user control of security policy
• Firmware Test Suite (FWTS) automates firmware checking- including UEFI and secure boot tests coverage
44
Linux and kernel driver signing support
• Linux distro implementation with MOK 3rd party manager signing list implemented already
• OpenSUSE 12.3 • https://news.opensuse.org/2013/02/28/rc2-is-ready-for-you-are-you-ready-for-rc2/
Summary • UEFI Secure Boot hardens the boot
process
• Ecosystem is ready for UEFI Secure Boot
• Linux* distributions must determine how to implement Secure Boot from the various options available
• Ubuntu* supports UEFI secure boot and offers FWTS for automated firmware checking
45
Call to Action
• Leverage the rich resources available and learn about UEFI secure boot technology
• Assess and evaluate your platform readiness for deploying UEFI secure boot
• Download and test the latest Linux* distributions with support for UEFI & Secure Boot – The link for Ubuntu* Secure boot resources is at:
https://wiki.ubuntu.com/UEFI/SecureBoot – SUSE* secure boot details:
https://www.suse.com/blogs/uefi-secure-boot-details/
46
Additional Sources of Information :
• Intel UEFI Community - http://intel.com/udk • UEFI Forum Learning Center
– http://www.uefi.org/learning_center/ • Use the TianoCore edk2-devel mailing list for support
from other UEFI developers • Read the “A Tour Beyond BIOS into UEFI Secure Boot”
whitepaper at tianocore.org • For more information on Ubuntu* …
– Ubuntu ODM Portal - http://odm.ubuntu.com/ – Secure Boot Tools - git://kernel.ubuntu.com/jk/sbsigntool
• For more information on Fedora* … – http://fedoraproject.org/
• Latest updates to SUSE* UEFI secure boot plans: https://www.suse.com/blogs/tag/secure-boot/
47
Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. • A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in
personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.
• Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.
• The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.
• Intel product plans in this presentation do not constitute Intel plan of record product roadmaps. Please contact your Intel representative to obtain Intel's current plan of record product roadmaps.
• Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. Go to: http://www.intel.com/products/processor_number.
• Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. • Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be
obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm • Intel, Sponsors of Tomorrow and the Intel logo are trademarks of Intel Corporation in the United States and other countries.
• *Other names and brands may be claimed as the property of others. • Copyright ©2013 Intel Corporation.
48
• Software Source Code Disclaimer: Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms of that license.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Legal Disclaimer
49
Risk Factors The above statements and any others in this document that refer to plans and expectations for the first quarter, the year and the future are forward-looking statements that involve a number of risks and uncertainties. Words such as “anticipates,” “expects,” “intends,” “plans,” “believes,” “seeks,” “estimates,” “may,” “will,” “should” and their variations identify forward-looking statements. Statements that refer to or are based on projections, uncertain events or assumptions also identify forward-looking statements. Many factors could affect Intel’s actual results, and variances from Intel’s current expectations regarding such factors could cause actual results to differ materially from those expressed in these forward-looking statements. Intel presently considers the following to be the important factors that could cause actual results to differ materially from the company’s expectations. Demand could be different from Intel's expectations due to factors including changes in business and economic conditions; customer acceptance of Intel’s and competitors’ products; supply constraints and other disruptions affecting customers; changes in customer order patterns including order cancellations; and changes in the level of inventory at customers. Uncertainty in global economic and financial conditions poses a risk that consumers and businesses may defer purchases in response to negative financial events, which could negatively affect product demand and other related matters. Intel operates in intensely competitive industries that are characterized by a high percentage of costs that are fixed or difficult to reduce in the short term and product demand that is highly variable and difficult to forecast. Revenue and the gross margin percentage are affected by the timing of Intel product introductions and the demand for and market acceptance of Intel's products; actions taken by Intel's competitors, including product offerings and introductions, marketing programs and pricing pressures and Intel’s response to such actions; and Intel’s ability to respond quickly to technological developments and to incorporate new features into its products. The gross margin percentage could vary significantly from expectations based on capacity utilization; variations in inventory valuation, including variations related to the timing of qualifying products for sale; changes in revenue levels; segment product mix; the timing and execution of the manufacturing ramp and associated costs; start-up costs; excess or obsolete inventory; changes in unit costs; defects or disruptions in the supply of materials or resources; product manufacturing quality/yields; and impairments of long-lived assets, including manufacturing, assembly/test and intangible assets. Intel's results could be affected by adverse economic, social, political and physical/infrastructure conditions in countries where Intel, its customers or its suppliers operate, including military conflict and other security risks, natural disasters, infrastructure disruptions, health concerns and fluctuations in currency exchange rates. Expenses, particularly certain marketing and compensation expenses, as well as restructuring and asset impairment charges, vary depending on the level of demand for Intel's products and the level of revenue and profits. Intel’s results could be affected by the timing of closing of acquisitions and divestitures. Intel’s current chief executive officer plans to retire in May 2013 and the Board of Directors is working to choose a successor. The succession and transition process may have a direct and/or indirect effect on the business and operations of the company. In connection with the appointment of the new CEO, the company will seek to retain our executive management team (some of whom are being considered for the CEO position), and keep employees focused on achieving the company’s strategic goals and objectives. Intel's results could be affected by adverse effects associated with product defects and errata (deviations from published specifications), and by litigation or regulatory matters involving intellectual property, stockholder, consumer, antitrust, disclosure and other issues, such as the litigation and regulatory matters described in Intel's SEC reports. An unfavorable ruling could include monetary damages or an injunction prohibiting Intel from manufacturing or selling one or more products, precluding particular business practices, impacting Intel’s ability to design its products, or requiring other remedies such as compulsory licensing of intellectual property. A detailed discussion of these and other factors that could affect Intel’s results is included in Intel’s SEC filings, including the company’s most recent Form 10-Q, report on Form 10-K and earnings release. Rev. 1/17/13