This note explains how to switch a legacy boot Debian/Ubuntu system into a UEFI boot system. Typical use cases: 1) switch a legacy boot installation into an UEFI one, 2) reinstall a broken UEFI boot loader on Debian 7, Debian 8 or Debian 9.[…]
Tag: Linux
Debian 10 released, with Secure Boot
[…]The UEFI (“Unified Extensible Firmware Interface”) support first introduced in Debian 7 (code name “wheezy”) continues to be greatly improved in Debian 10 “buster”. Secure Boot support is included in this release for amd64, i386 and arm64 architectures and should work out of the box on most Secure Boot-enabled machines. This means users should no longer need to disable Secure Boot support in the firmware configuration.[…]
https://lists.debian.org/msgid-search/bcd827ac-a3cf-6695-9a21-9b9d148aed76@debian.org
Hmm, above URL generates an error on the resulting Debian.org-hosted page, but the MARC and Mail-Archive links work, the latter rendered better. The Debian page also wrongly points to the now-dead GMane site, two Debian bugs that need to get fixed…
Debian Secure Boot document updated
Steve McIntyre has updated the Debian wiki page for Secure Boot “to cover a lot more user-facing stuff.”
GRUB2 security changes in Fedora
[…]Include Grub’s “verify,” “cryptodisk,” “luks” and <others here> modules in grubx64.efi of the ‘grub2-efi-x64’ package. Users utilising secure boot functionality on the UEFI platform cannot insert modules that aren’t in grubx64.efi. Paradoxically, this means that security-conscious users cannot use grub’s verify module, or employ (near) full disk encryption using cryptodisk and luks. The security benefits of signature verification would reach more users if Fedora automated it by incorporating the process into grub2-mkconfig. For the long-term, to grant flexibility with grub2 modules on secure boot instances, it may be advisable to sign the .mod files in the ‘grub2-efi-x64-modules’ package, modify grub2-mkconfig (or -install) to copy the necessary modules into the EFI partition when required by the user’s configuration and then allow inserting of signed modules in secure boot instances.[…]
https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2
https://www.phoronix.com/scan.php?page=news_item&px=GRUB2-New-EFI-Modules-For-F31
Open Source Firmware track at LinuxFestNorthWest 2019
LinuxFestNorthWest.org is the annual Linux conference for Washington state and the Pacific NorthWest area. This year, there’s an “Open Source Firmware” track, for the first time.
UEFI Boot for Mere Mortals
Why Open Source is Critical For Platform Firmware
Defending Out-of-Band Management Attacks
Network Boot in a Zero-Trust Environment
Open-Source Host Firmware Directions
The Fight for a Secure Linux BIOS… Past, Present and Future
https://www.linuxfestnorthwest.org/conferences/2019/schedule/events
https://www.linuxfestnorthwest.org/conferences/2019
mXtract: Linux-based tool that analyses and dumps memory
mXtract is an opensource linux based tool that analyses and dumps memory. Its developed as an offensive pentration testing tool which can be used to scan memory for private keys, ips, and passwords using regexes. Remember your results are only as good as your regexes.[…]
Comparing Linux distribution’s hardening schemes
How well does each Linux distro really do with security hardening? Here's a detailed data-driven analysis (across millions of binaries) by @theofilospe. Guess I need to upgrade my '90's Slackware install
https://t.co/LVMAZxVupp
— John Viega (@viega) February 28, 2019
In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, CentOS and RHEL 6.10 & 7 distributions, as well as the Ubuntu 14.04, 12.04, and 18.04 LTS distributions. Our findings confirm that even basic hardening schemes, such as stack canaries and position independent code, are not fully adopted. The situation is even worse when it comes to other compiler protections like stack clash hardening, which recently came into the spotlight due to last month’s systemd vulnerabilities. However, not all is hopeless.[…]
https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/
Fedora: Flicker Free Boot
Fedora 30 now contains all changes changes for a fully Flicker Free Boot. Last week a new version of plymouth landed which implements the new theme for this and also includes a much improved offline-updates experience, following this design. At boot the display will seamlessly transit from the firmware boot-splash into the new plymouth theme, which uses the firmware boot-splash as background[…]
How to Debug the Linux Kernel with QEMU and Libvirt
[…In this article, we explain how you can debug your Linux kernel and its modules during runtime. This article will be useful for Linux kernel developers who want to speed up the time to market of their software.[…]
Evolution of the x86 context switch in Linux
While researching archaic facts about the 80386 hardware context switch last weekend, I remembered that early versions of the Linux kernel relied on it. I was promptly sidetracked for hours reading code I hadn’t seen in years. This weekend, I’ve decided to write down the journey to consolidate all the nuggets of fun stuff I discovered along the way.
http://www.maizure.org/projects/evolution_x86_context_switch_linux/
Debian: call for testing: Secure Boot
OpenSource.com: Troubleshooting hardware problems in Linux
[…]The following tips should make it quicker and easier to troubleshoot hardware in Linux. Many different things can cause problems with Linux hardware; before you start trying to diagnose them, it’s smart to learn about the most common issues and where you’re most likely to find them.[…]
https://twitter.com/opensourceway/status/1079953868765704193
https://opensource.com/article/18/12/troubleshooting-hardware-problems-linux
build-anywhere: Create highly portable ELF binaries using the build-anywhere toolchain
This post describes the basic requirements for compiling highly portable ELF binaries. Essentially using a newer Linux distro like Ubuntu 18.10 to build complex projects that run on older distros like CentOS 6. The details are limited to C/C++ projects and to x86_64 architectures. The low-level solution is to use a C++ runtime that requires only glibc 2.13+ runtime linkage and link all third-party libraries as well as the compiler runtime and C++ implementation statically. Do not make a “fully static” binary. You will most likely find a glibc newer than 2.13 on every Linux distribution released since 2011. The high-level solution is to use the build-anywhere scripts to build a easy-to-use toolchain and set compiler flags.[…]
usb_uefi_shell: automatic creation of bootable USB-drive
GPU-pass-through-compatibility-check: Automatically set up a Linux system for PCI pass-through and check if it is compatible
This project consists of 3 parts.
1) A script (gpu-pt-check.sh) that automatically checks to what extend a computer is compatible with GPU pass-through in its given configuration.
2) A script (setup.sh) that automatically installs and configures your system for GPU pass-through (Only tested on fresh installs of Fedora 28 x64 with Gnome, booted in UEFI mode!)
3) Instructions on how to create a bootable Linux USB stick that automatically runs the gpu-pt-check.sh script when you boot from it without any user interaction required.
https://github.com/T-vK/GPU-pass-through-compatibility-check
ALT Linux adds packages for UEFI keys and certs
https://github.com/alt-packages/alt-uefi-keys
https://github.com/alt-packages/alt-uefi-certs
https://en.altlinux.org/Main_Page
https://www.altlinux.org/UEFI
This package contains ALT Linux UEFI SB CA certificate corresponding to the private key that is now used to sign ALT Linux UEFI bootloaders to cope with UEFI SecureBoot regime (aka “Restricted Boot”). This can be enrolled by the user so that ALT shim and subsequent bootloaders are accepted by firmware without Microsoft’s certificates.
PS: ALT Linux Rescue includes an EFI System Partition (ESP) with a few tools, and a boot option to go into UEFI or Linux.
EFI-roller: EFI signing utility, Linux bash script
efi-roller is a simple script to help sign EFI images. It creates the needed keys and helps you keep track of what to sign.
https://github.com/Foxboron/efi-roller
LinuxFlaw: collection of hundreds of Linux vulnerabilities
https://github.com/VulnReproduction/LinuxFlaw
https://www.usenix.org/conference/usenixsecurity18/presentation/mu
As the above Twitter thread shows, see-also:
CVE-2017-1000112: Linux Kernel Runtime Guard (LKRG) bypass
https://www.openwall.com/lists/lkrg-users/2018/11/16/2
This is a proof-of-concept local root exploit for the vulnerability in the UFO Linux kernel implementation CVE-2017-1000112.
https://www.openwall.com/lists/oss-security/2017/08/13/1
https://github.com/milabs/kernel-exploits/tree/master/CVE-2017-1000112
Firmware Security 
You must be logged in to post a comment.