new Linux/Android kernel vulnerability

January 20, 2016 ~ hucktech ~ Leave a comment

Linux Kernel Vulnerability https://t.co/7HYvySGmrE

— CISA Cyber (@CISACyber) January 20, 2016

Linux Kernel Vulnerability: US-CERT is aware of a Linux kernel vulnerability affecting Linux PCs and servers and Android-based devices. Exploitation of this vulnerability may allow an attacker to take control of an affected system. US-CERT recommends that users and administrators review the Redhat Security Blog and the Debian Security Bug Tracker for additional details and refer to their Linux or Unix-based OS vendors for appropriate patches.

https://www.us-cert.gov/ncas/current-activity/2016/01/19/Linux-Kernel-Vulnerability

https://access.redhat.com/security/cve/CVE-2016-0728

https://security-tracker.debian.org/tracker/CVE-2016-0728

Frida 6.1 released, better embedded Linux device support

January 18, 2016 ~ hucktech ~ Leave a comment

Frida 6.1 is out w/support for Raspberry Pi and low-end embedded devices, now with a brand new Duktape-based runtime https://t.co/Wd5CJshKa9

— Frida (@fridadotre) January 18, 2016

The new version of Frida, a reverse-engineering tool, now supports Rasberry Pi and other linux-armhf”-based devices!

Full announcement:
http://www.frida.re/news/2016/01/14/frida-6-1-released/

User Mode Linux: security improvements

January 13, 2016 ~ hucktech ~ Leave a comment

Nice to see UML getting more security!

User-mode Linux v4.5 will bring seccomp and will be able to run on a host with @grsecurity (i.e. TPE) https://t.co/L6MotZfQhx

— Mickaël Salaün – @l0kod@mastodon.social (@l0kod) January 12, 2016

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4f31d774dd5239e563f22ffe1403292414e6f779

http://user-mode-linux.sourceforge.net/

https://git.kernel.org/cgit/linux/kernel/git/rw/uml.git/log/?h=linux-next

Ubuntu to opt-out of fwupd?

January 8, 2016 ~ hucktech ~ Leave a comment

Not only do you have to study your Linux distribution to see if/how it uses Secure Boot, you also need to research if/how it gets firmware updates.

Ubuntu 16.04 LTS Might Get the Option of Updating Firmware Directly from the OS: One of the most interesting f… https://t.co/V6xBc70Wr1

— linuxdevices (@linuxdevices) January 8, 2016

http://www.linux.com/news/software/applications/877661-ubuntu-1604-lts-might-get-the-option-of-updating-firmware-directly-from-the-os/

https://blueprints.launchpad.net/ubuntu/+spec/foundations-w-uefi-capsule-update

“Ubuntu should support updating firmware for systems and components (but not peripherals) via EFI UpdateCapsule (see EFI Capsule specification, in Related Links), so that users do not require Windows or DOS to apply BIOS/component firmware updates, and as such updates are easily available to all Ubuntu users. Peripheral firmware updates are not technically supported by the UEFI Capsule specification, and so are out of the scope of this blueprint.”

http://www.fwupd.org/

I also wonder about non-GNOME systems, how do KDE systems get firmware updates?

Matthew on x86 boot security

January 1, 2016 ~ hucktech ~ Leave a comment

Happy new year and here's a description of the current state of boot security https://t.co/YQT8lAkQMK

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) January 1, 2016

Apple has a lot of work to do, but they just hired LegbaCore, so they should be able to improve.

Linux has a lot of work to do, to catch up to Windows. Luckily there are people like Matthew working on it.

OEMs/Intel has a lot of work to do: they should be working to build the Stateless Laptop that ITL has proposed.

http://mjg59.dreamwidth.org/39339.html

@flamsmark @xor I'm going to be controversial and say that Windows is probably the most secure choice for an unskilled user

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) December 30, 2015

Guido Stepken on Linux UEFI TPM 2.0 backdoors

December 19, 2015 ~ hucktech ~ Leave a comment

https://twitter.com/SecNewsBot/status/677681956176404480

Guido Stepken has a Google+ post from September (which I didn’t notice back then), and the SecNewsBot on Twitter just posted this like it is news. Well, it is news to me. 😦

Linux UEFI TPM 2.0 security impacts:
The “security chain” begins with one or more TPM 2.0 “Endorsement Keys” (EK), that are stored on the motherboard and that cannot be overwritten without “allowance” by either the owner (hardware manufacturer) or somebody, that is “higher” in key hierarchy, such as Microsoft or U.S. government authorities. Key Exchange Keys (KEK) establish a trust relationship between the operating system and the platform firmware. Each operating system (and potentially each 3rd party application, that needs to communicate with platform firmware) enrolls a public key (KEKpub) into the platform firmware. When your hardware comes “Windows Certified”, the “Endorsement Key” already is initialized, is signed by Microsoft and U.S. authorities. “Windows certified” here automatically means “NSA backdoor” included and activated in all encryption modules. Hardware encryption on newer INTEL Xeon machines, at boot, load those key rings from UEFI tables into processor buffer. From then on, the CPU hardware encrypts everything with Microsoft and U.S. authorities keys being enclosed in the key ring, independent of used operating system! […]

Full article:

https://plus.google.com/+GuidoStepken/posts/XZsgDcuairt

Dell joins Linux Vendor Firmware Service

December 10, 2015 ~ hucktech ~ Leave a comment

Richard Hughes has a new blog post on Dell joining Linux Vendor Firmware Service (LVFS).

"The Linux Vendor Firmware Service Welcomes Dell" https://t.co/JnOheAKpJp

— Jared Domínguez (@djdmngz) December 10, 2015

The Linux Vendor Firmware Service Welcomes Dell

Dell has a poll about the service, asking it’s users which models to target next, which Linux distros they use, etc. If you have a Dell system, please be sure to check out the survey.

Survey: "Dell UEFI FW Update Support for Linux" https://t.co/VHJDFKuhgI

— Jared Domínguez (@djdmngz) December 10, 2015

https://docs.google.com/forms/d/1Hkh13Xh14yUxUciEFqqYiOfPfzR4y5F1xLFgTbs_FU4/viewform?c=0&w=1

http://www.fwupd.org/

So, I guess I need to check fwupd.org before buying a new Linux system, to see if the vendor supports firmware updates or not. Hmm, I wish fwupd.org had a list of supported OEMs/IHVs: if it does, I missed it, I’ll have to just watch Richard’s blog for new OEM announcements, I guess.

new Linux-IMA patchset closes multiple measurement/appraisal gaps

December 8, 2015 ~ hucktech ~ Leave a comment

Mimi Zohar and Dmitry Kasatkin have created a new patchset for Linux IMA which:

“closes a number of measurement/appraisal gaps by defining a generic function named ima_read_and_process_file() for measuring and appraising files read by the kernel (eg. kexec image and initramfs, firmware, IMA policy). To differentiate between callers of ima_read_and_process_file() in the IMA policy, a new enumeration is defined named ima_read_hooks, which initially includes KEXEC_CHECK, INITRAMFS_CHECK, FIRMWARE_CHECK, and POLICY_CHECK.

separate ‘security.ima’ reading functionality from collect
load policy using path
update appraise flags after policy update completes
measure and appraise kexec image and initramfs
measure and appraise firmware (improvement)
measure and appraise the IMA policy itself
require signed IMA policy

Documentation/ABI/testing/ima_policy      | 2 +-
drivers/base/firmware_class.c             | 15 +++++–
include/linux/ima.h                       | 12 +++++
kernel/kexec_file.c                       | 28 +++++++—–
security/integrity/digsig.c               | 2 +-
security/integrity/iint.c                 | 24 +++++++—
security/integrity/ima/ima.h              | 24 +++++—–
security/integrity/ima/ima_api.c          | 51 +++++++++++++++——
security/integrity/ima/ima_appraise.c     | 40 +++++++++++——
security/integrity/ima/ima_crypto.c       | 56 ++++++++++++++++——–
security/integrity/ima/ima_fs.c           | 45 ++++++++++++++++++-
security/integrity/ima/ima_init.c         | 2 +-
security/integrity/ima/ima_main.c         | 55 ++++++++++++++++++—–
security/integrity/ima/ima_policy.c       | 73 ++++++++++++++++++++++++——-
security/integrity/ima/ima_template.c     | 2 –
security/integrity/ima/ima_template_lib.c | 3 +-
security/integrity/integrity.h            | 14 +++—
17 files changed, 329 insertions(+), 119 deletions(-)

More information:
https://lists.sourceforge.net/lists/listinfo/linux-ima-devel

goofibootm

November 30, 2015November 30, 2015 ~ hucktech ~ 1 Comment

[UPDATE: See Comment post (left) from Solus developer Ikey for more info.]

Softpedia notes that there is a Linux distribution called Solus, and it’s latest release supports UEFI, with Solus working on a gummiboot fork (of sorts), called goofibootm:

“As a heads up, we’ve forked gummiboot, the UEFI boot loader for Linux. It should be noted that gummiboot itself is dead upstream, and was ‘merged’ into the systemd tree as systemd-boot. Currently Solus uses gummiboot for UEFI everywhere, and as we need certain behaviours that systemd-boot will not be providing, and we’ve been told categorically it’s not a successor, we’re providing our own successor,” Ikey Doherty said on Google+.

http://news.softpedia.com/news/solus-is-getting-its-own-uefi-boot-loader-forked-from-gummiboot-496716.shtml

From the Solus Beta2 release notes:

“Solus will co-exist with other operating systems using UEFI, and will not add the boot loader to the firmware.”

I had not heard of Solus before reading this news. Apparently, Solus is designed and optimized for the desktop, and they may prefer speed over security, from the Solus web site:

We spend a lot of time optimising Solus to run better, faster, and more efficiently, on the hardware available to our users. Quite famously, we had an Intel NUC booting in 1.089s, using only 178MB of RAM idle on boot. We spend time working heavily on the toolchain, validating binary performance to ensure that you get the best possible experience for the desktop. We spend a significant amount of time on our kernel too […] we’re also going to do hardware-specific builds of Solus in the future. This means we’ll be offering builds of Solus, as an example, that would run exclusively on the Broadwell architecture, or Haswell, etc. These will be immensely optimised, building on all the work we already do, ensuring you’ll be using hardware specific builds of Solus, squeezing every last bit of juice out of that computer of yours (or: getting what you paid for). The upcoming v1 stable release on October 1st will feature a “fast-boot” option in the installer, which will involve the removal of the initrd. This will take the previous record of 1.089s cold boot time, and completely demolish it with a subsecond boot time, which we will make prominently public.

https://solus-project.com/2015/05/17/solus-operating-system-beta-2/

Welcome to Solus Project

It will be interesting to see if goofibootm will become useful to other distros besides Solus. I haven’t checked to see if they have the tummiboot fork or not (which has Intel TXT support). Sigh, too many boot loaders for Linux with different separate security features…

Linux and Secure Boot HOW-TO

November 30, 2015 ~ hucktech ~ Leave a comment

Greig Paul has an article in Linux Journal, a new Security HOW-TO on UEFI Secure Boot.

Take Control of Your PC with UEFI Secure Boot

[..] This article focuses on a single useful but typically overlooked feature of UEFI: secure boot. Often maligned, you’ve probably encountered UEFI secure boot only when you disabled it during initial setup of your computer. Indeed, the introduction of secure boot was mired with controversy over Microsoft being in charge of signing third-party operating system code that would boot under a secure boot environment. In this article, we explore the basics of secure boot and how to take control of it. We describe how to install your own keys and sign your own binaries with those keys. We also show how you can build a single standalone GRUB EFI binary, which will protect your system from tampering, such as cold-boot attacks. Finally, we show how full disk encryption can be used to protect the entire hard disk, including the kernel image (which ordinarily needs to be stored unencrypted). […]

Full article:

http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot

Linux’s auditd

November 18, 2015 ~ hucktech ~ Leave a comment

Heyward Fann has a tweet pointing out a blog post by Vivek Gite showing how to use the Linux’s audit feature:

https://twitter.com/fannheyward/status/664009857998200833

The article is from 2007 so “modern” Linux is defined as 2.6.x, but I think advice is still useful with current Linux…

[…] Modern Linux kernel (2.6.x) comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd. In order to use audit facility you need to use following utilities
=> auditctl – a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:
=> ausearch – a command that can query the audit daemon logs based for events based on different search criteria.
=> aureport – a tool that produces summary reports of the audit system logs.

[…]

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

ELC15 post-conference materials available

November 16, 2015 ~ hucktech ~ Leave a comment

Hooray! @linuxfoundation has uploaded talks from #Embedded #Linux Conference Europe 2015: https://t.co/Jraj7czz8t

— @pdp7@mastodon.social (@pdp7) November 16, 2015

There are multiple interesting presentations, mostly at the hardware and OS-level, but some at boot-loader level.

http://events.linuxfoundation.org/events/embedded-linux-conference-europe/program/slides

http://www.elinux.org/ELCE_2015_Presentations

Sigh, WordPress, renders a Youtube playlist of N videos by only showing the first one. URL is split into two lines below or click on this: URL.

https://www.youtube.com/
playlist?list=PLGeM09tlguZTP9-9nMQNGiT_2PPFay0Cs

GRUB with Trusted Boot for TPM v1 or v2

November 16, 2015 ~ hucktech ~ Leave a comment

This from September, I only just noticed it. 😦

Matthew Garrett has updated GRUB bootloader with support for Trusted Boot, on TPM v1 or v2 systems!

grub with support for Trusted Boot on both TPM 1.2 and TPM 2.0: https://t.co/ewOgFFW9Ps (TPM 2.0 support poorly tested due to firmware bugs)

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) September 21, 2015

In a follow-up to the above tweet, Matthew also states:

“I need to add equivalent code to Shim now lucky me”

https://github.com/mjg59/grub

So I need to check if that happened, and if Debian and other distros are using this version of GRUB and Shim…

I wish somebody — Wikipedia, the Linux Foundation, the Linux kernel security wiki, the UEFI Forum, etc. — were tracking the various hardware/firmware security features of various vendors, and what system components (grub and shim in this case) had support for the various technologies, with a table of red/green boxes. Then we could more easily see things like tboot only supporting BIOS and not UEFI, etc..

Kees on Linux seccomp and OpenBSD pledge

November 12, 2015 ~ hucktech ~ Leave a comment

Kees Cook has a blog on seccomp, including a discussion of the new OpenBSD pledge technology, a bit of BSD -vs- Linux kernel security comparisons:

evolution of seccomp

http://www.openbsd.org/papers/hackfest2015-pledge/mgp00001.html

The Linux kernel’s self-protection project

November 11, 2015 ~ hucktech ~ Leave a comment

Drew Fustini points out a Linux security project I’ve never heard of:

Kernel Self Protection Projecthttps://t.co/ys5WjsG6ud
via @keescook

— @pdp7@mastodon.social (@pdp7) November 6, 2015

This project starts with the premise that kernel bugs have a very long lifetime, and that the kernel must be designed in ways to protect against these flaws. We must think of security beyond fixing bugs. As a community, we already find and fix individual bugs via static checkers (compiler flags, smatch, coccinelle, coverity) and dynamic checkers (kernel configs, trinity, KASan). Those efforts are important and on-going, but if we want to protect our billion Android phones, our cars, the International Space Station, and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to fail safely, instead of just running safely. These kinds of protections have existed for years in PaX, grsecurity, and piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.

http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Olimex ARM64 OSH laptop update

November 6, 2015 ~ hucktech ~ Leave a comment

Olimex is working on an Open Source Hardware-based AArch64-based laptop, based on their Open Source Hardware-based AArch64 dev board. They have a update on the system. Including some prototype pictures:

“needless to mention this window button will become Tux. :-)”

A64-OLinuXino OSHW 64-bit ARM DIY Laptop idea update

I wonder about what firmware they’ll use, and if the use will be able to update it themselves, from source….

Matthew on kernel security

November 6, 2015 ~ hucktech ~ Leave a comment

Matthew Garrett has a new blog post, on the topic of the need to improve Linux kernel security. Excerpt:

[…]
The model up until now has largely been “Fix security bugs as we find them”, an approach that fails on two levels:

1) Once we find them and fix them, there’s still a window between the fixed version being available and it actually being deployed
2) The forces of good may not be the first ones to find them

This reactive approach is fine for a world where it’s possible to push out software updates without having to perform extensive testing first, a world where the only people hunting for interesting kernel vulnerabilities are nice people. This isn’t that world, and this approach isn’t fine.
[…]

Full article:
http://mjg59.dreamwidth.org/38158.html

Peter Jones on Linux UEFI shim

November 2, 2015 ~ hucktech ~ Leave a comment

Peter Jones of Red Hat has an interesting post on Linux, UEFI, Secure Boot, and Linux shim maintenance.

If you use Linux and it’s UEFI Secure Boot shim, you may want to read this.

http://blog.uncooperative.org/blog/2015/11/02/shim-info/

http://blog.uncooperative.org/shim-info-2015-11-02.txt.asc

MJG on Secure Boot, Intel TXT, Linux, and security

October 19, 2015 ~ hucktech ~ Leave a comment

A short security lesson from Matthew (click on Twitter link for follow-up post):

Intel's TXT implementation for Linux still requires you to disable runtime UEFI services, making it basically unusable with Secure Boot

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) October 19, 2015

[BTW, sorry WordPress doesn’t seem to render Twitter’s HTML table when scrolling through the site If you ever see multiple blank lines in the post it is probably a Twitter URL that WordPress didn’t render, refresh to fix. You have to refresh on new pages, often, or view the post on a separate page (which generates a refresh). I post messages while online and finding news, but don’t spend a huge amount of extra time formatting the posting, simple ASCII text plus a few URLs. The interactive WordPress HTML UI to add a hyperlink triples the time to post each message, and WordPress won’t accept HTML <A> links. WordPress renders some URLs differently, like showing the image of a JPEG/PNG/etc, and showing the Youtube video link and hiding the rest of a web page which contains a Youtube URL — like Kickstart funding pages.]

LinuxCon Europe UEFI Mini-Summit presentations available

October 19, 2015 ~ hucktech ~ Leave a comment

Earlier this month, the UEFI Forum recently had a “Mini-Summit” at LinuxCon Europe. The presentations are now available online (so far just the slides, unclear if A/V will show up on Youtube later):

UEFI Mini-Summit at LinuxCon Europe: October 7, 2015

* UEFI Forum Update and Open Source Community Benefits – Mark Doran (Intel)
* What Linux Developers Need to Know About Recent UEFI Spec Advances – Jeff Bobzin (Insyde Software)
* LUV Shack: An Automated Linux Kernel and UEFI Firmware Testing Infrastructure – Matt Fleming (Intel)
* Goodbye PXE, Hello HTTP Boot – Dong Wei (HP)
* UEFI Development in an Open Source Ecosystem – Michael Krau (Intel)

More information (about halfway down the page, past the Youtube section):

http://www.uefi.org/learning_center/presentationsandvideos