RFC: Inclusion of Secure Boot Key Manager

Timothy Pearson tpearson at raptorengineering.com
Fri Jan 13 11:04:48 AEDT 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/12/2017 05:22 PM, Samuel Mendoza-Jonas wrote:
> On Thu, 2017-01-12 at 15:48 -0600, Eric Richter wrote:
>> I've been looking into ways to include a secure boot key manager in 
>> skiroot, and ran into a few snags in the design. In order to maintain 
>> the "trusted" state of the system, shell access should be avoided due to 
>> the unrestricted manner of complete shell access. Instead, it would be 
>> sensible to limit a user's ability to interact with the keys through a 
>> menu. However, implementing this as a menu in Petitboot would then 
>> introduce more platform specific code.
> 
> Just as an aside, what scenarios are we specifically concerned about when the
> user has shell access? (The most obvious one that comes to mind would be
> flashing a new PNOR).

Without something like FlexVer [1] protecting the system, having command
line access at the Petitboot stage allows at _least_:

 * Changing the underlying firmware to accept (malicious) modified boot
firmware / kernel stages

 * Destruction of the system contents (dd if=/dev/zero
of=/my/important/disk)

 * Ransomware (encrypt disk contents, then demand ransom)

Essentially, allowing unrestricted shell access on current OpenPOWER
systems is equivalent to allowing unrestricted root access to the OS,
it's just slightly more complicated to exploit the system than "sudo
install malware".  This type of access places the system in the same
class as the old Windows installs where you could reset the admin
password under Linux and gain full admin access with nothing but time
and a Linux LiveCD.

[1] https://www.raptorengineering.com/TALOS/documentation/flexver_intro.pdf

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYeBmeAAoJEK+E3vEXDOFbSCkH/3Z0o+ac3tlluicEECOwG2/q
i8fVaEIzWSKXGW6lTx0rfbHBo9FEsXrfvAPqwezXpDpFItlUt3S3rLO20R00s1p8
z68TmSPxDBMMfEhkpci59Olsb4KDXGDifP0GeCuIlCM7zn2nlscZQId0VAhp+GkO
vH+6HughQXGerbMx8XcIZ7TZaK1V0HK1g+dZ5DSlFGjSYaL67BceVCMbop6J3c4Q
MfbdX24zm7BSOkDR8LEi3v90Ckas5C7QeowBwM3nUhJ6yLOPOy+KfH/Xo+OOF/H9
IJUlfi6bj5JY3LTQ6g3edscjxFWRjsPQvi5P7/eMaECIvHBwG9/YRQyI7hbYl4s=
=saL2
-----END PGP SIGNATURE-----

More information about the Petitboot mailing list