GRUB2 security changes in Fedora

[…]Include Grub’s “verify,” “cryptodisk,” “luks” and <others here> modules in grubx64.efi of the ‘grub2-efi-x64’ package.  Users utilising secure boot functionality on the UEFI platform cannot insert modules that aren’t in grubx64.efi. Paradoxically, this means that security-conscious users cannot use grub’s verify module, or employ (near) full disk encryption using cryptodisk and luks. The security benefits of signature verification would reach more users if Fedora automated it by incorporating the process into grub2-mkconfig. For the long-term, to grant flexibility with grub2 modules on secure boot instances, it may be advisable to sign the .mod files in the ‘grub2-efi-x64-modules’ package, modify grub2-mkconfig (or -install) to copy the necessary modules into the EFI partition when required by the user’s configuration and then allow inserting of signed modules in secure boot instances.[…]

https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

https://www.phoronix.com/scan.php?page=news_item&px=GRUB2-New-EFI-Modules-For-F31

 

Open Source Firmware track at LinuxFestNorthWest 2019

LinuxFestNorthWest.org is the annual Linux conference for Washington state and the Pacific NorthWest area. This year, there’s an “Open Source Firmware” track, for the first time.

UEFI Boot for Mere Mortals
Why Open Source is Critical For Platform Firmware
Defending Out-of-Band Management Attacks
Network Boot in a Zero-Trust Environment
Open-Source Host Firmware Directions
The Fight for a Secure Linux BIOS… Past, Present and Future

https://www.linuxfestnorthwest.org/conferences/2019/schedule/events

https://www.linuxfestnorthwest.org/conferences/2019

LFNW logo

mXtract: Linux-based tool that analyses and dumps memory

mXtract is an opensource linux based tool that analyses and dumps memory. Its developed as an offensive pentration testing tool which can be used to scan memory for private keys, ips, and passwords using regexes. Remember your results are only as good as your regexes.[…]

Screenshot

https://github.com/rek7/mXtract

Comparing Linux distribution’s hardening schemes

In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, CentOS and RHEL 6.10 & 7 distributions, as well as the Ubuntu 14.04, 12.04, and 18.04 LTS distributions. Our findings confirm that even basic hardening schemes, such as stack canaries and position independent code, are not fully adopted. The situation is even worse when it comes to other compiler protections like stack clash hardening, which recently came into the spotlight due to last month’s systemd vulnerabilities. However, not all is hopeless.[…]

https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/

Fedora: Flicker Free Boot

Fedora 30 now contains all changes changes for a fully Flicker Free Boot. Last week a new version of plymouth landed which implements the new theme for this and also includes a much improved offline-updates experience, following this design. At boot the display will seamlessly transit from the firmware boot-splash into the new plymouth theme, which uses the firmware boot-splash as background[…]

https://fedoraproject.org/wiki/Changes/FlickerFreeBoot

https://hansdegoede.livejournal.com/20119.html

How to Debug the Linux Kernel with QEMU and Libvirt

[…In this article, we explain how you can debug your Linux kernel and its modules during runtime. This article will be useful for Linux kernel developers who want to speed up the time to market of their software.[…]

https://www.apriorit.com/dev-blog/597-debug-linux-kernel-qemu-libvirt

Evolution of the x86 context switch in Linux

While researching archaic facts about the 80386 hardware context switch last weekend, I remembered that early versions of the Linux kernel relied on it. I was promptly sidetracked for hours reading code I hadn’t seen in years. This weekend, I’ve decided to write down the journey to consolidate all the nuggets of fun stuff I discovered along the way.

http://www.maizure.org/projects/evolution_x86_context_switch_linux/

Linux x86 context switch

OpenSource.com: Troubleshooting hardware problems in Linux

[…]The following tips should make it quicker and easier to troubleshoot hardware in Linux. Many different things can cause problems with Linux hardware; before you start trying to diagnose them, it’s smart to learn about the most common issues and where you’re most likely to find them.[…]

https://opensource.com/article/18/12/troubleshooting-hardware-problems-linux

build-anywhere: Create highly portable ELF binaries using the build-anywhere toolchain

This post describes the basic requirements for compiling highly portable ELF binaries. Essentially using a newer Linux distro like Ubuntu 18.10 to build complex projects that run on older distros like CentOS 6. The details are limited to C/C++ projects and to x86_64 architectures. The low-level solution is to use a C++ runtime that requires only glibc 2.13+ runtime linkage and link all third-party libraries as well as the compiler runtime and C++ implementation statically. Do not make a “fully static” binary. You will most likely find a glibc newer than 2.13 on every Linux distribution released since 2011. The high-level solution is to use the build-anywhere scripts to build a easy-to-use toolchain and set compiler flags.[…]

https://github.com/theopolis/build-anywhere

https://casualhacking.io/blog/2018/12/25/create-highly-portable-elf-binaries-using-the-build-anywhere-toolchain

GPU-pass-through-compatibility-check: Automatically set up a Linux system for PCI pass-through and check if it is compatible

This project consists of 3 parts.
1) A script (gpu-pt-check.sh) that automatically checks to what extend a computer is compatible with GPU pass-through in its given configuration.
2) A script (setup.sh) that automatically installs and configures your system for GPU pass-through (Only tested on fresh installs of Fedora 28 x64 with Gnome, booted in UEFI mode!)
3) Instructions on how to create a bootable Linux USB stick that automatically runs the gpu-pt-check.sh script when you boot from it without any user interaction required.

example output

https://github.com/T-vK/GPU-pass-through-compatibility-check

ALT Linux adds packages for UEFI keys and certs

https://github.com/alt-packages/alt-uefi-keys
https://github.com/alt-packages/alt-uefi-certs
https://en.altlinux.org/Main_Page
https://www.altlinux.org/UEFI

This package contains ALT Linux UEFI SB CA certificate corresponding to the private key that is now used to sign ALT Linux UEFI bootloaders to cope with UEFI SecureBoot regime (aka “Restricted Boot”). This can be enrolled by the user so that ALT shim and subsequent bootloaders are accepted by firmware without Microsoft’s certificates.

PS: ALT Linux Rescue includes an EFI System Partition (ESP) with a few tools, and a boot option to go into UEFI or Linux.

https://en.altlinux.org/Rescue

LinuxFlaw: collection of hundreds of Linux vulnerabilities

https://github.com/VulnReproduction/LinuxFlaw

https://www.usenix.org/conference/usenixsecurity18/presentation/mu

As the above Twitter thread shows, see-also:

https://syzkaller.appspot.com/?fixed=upstream

https://syzkaller.appspot.com/

CVE-2017-1000112: Linux Kernel Runtime Guard (LKRG) bypass

https://www.openwall.com/lists/lkrg-users/2018/11/16/2

This is a proof-of-concept local root exploit for the vulnerability in the UFO Linux kernel implementation CVE-2017-1000112.

https://www.openwall.com/lists/oss-security/2017/08/13/1

https://github.com/milabs/kernel-exploits/tree/master/CVE-2017-1000112

 

Defensive Security: Playing with Linux Kernel Runtime Guard (LKRG)

https://www.defensive-security.com/blog/playing-with-linux-kernel-runtime-guard-lkrg

An introduction to Udev: The Linux subsystem for managing device events

Linux subsystem for managing device events
Create a script that triggers your computer to do a specific action when a specific device is plugged in.
13 Nov 2018
Seth Kenlon (Red Hat)

Udev is the Linux subsystem that supplies your computer with device events. In plain English, that means it’s the code that detects when you have things plugged into your computer, like a network card, external hard drives (including USB thumb drives), mouses, keyboards, joysticks and gamepads, DVD-ROM drives, and so on. That makes it a potentially useful utility, and it’s well-enough exposed that a standard user can manually script it to do things like performing certain tasks when a certain hard drive is plugged in. This article teaches you how to create a udev script triggered by some udev event, such as plugging in a specific thumb drive. Once you understand the process for working with udev, you can use it to do all manner of things, like loading a specific driver when a gamepad is attached, or performing an automatic backup when you attach your backup drive.[…]

https://opensource.com/article/18/11/udev?sc_cid=70160000001273HAAQ