I want full control at what boots the computer to avoid the so called evil maid attack. That requires setting SecureBoot with only my own keys. SecureBoot protects the computer from tampering with the installed OS and boot files, while it’s left powered off outside our view. It’s not a substitute for disk encryption though, it’s an addition to it.[…]
Linux subsystem for managing device events
Create a script that triggers your computer to do a specific action when a specific device is plugged in.
13 Nov 2018
Seth Kenlon (Red Hat)
Udev is the Linux subsystem that supplies your computer with device events. In plain English, that means it’s the code that detects when you have things plugged into your computer, like a network card, external hard drives (including USB thumb drives), mouses, keyboards, joysticks and gamepads, DVD-ROM drives, and so on. That makes it a potentially useful utility, and it’s well-enough exposed that a standard user can manually script it to do things like performing certain tasks when a certain hard drive is plugged in. This article teaches you how to create a udev script triggered by some udev event, such as plugging in a specific thumb drive. Once you understand the process for working with udev, you can use it to do all manner of things, like loading a specific driver when a gamepad is attached, or performing an automatic backup when you attach your backup drive.[…]
UEFI-Boot is a simple project that focused on loading Linux kernel directly from UEFI firmware without need in any bootloader.
Videos of the Linux Security Summit EU 2018 are now online:
This project provides all you need to create an unattended installation of a minimal setup of Linux, whereas minimal translates to the most lightweight setup – including an OpenSSH service and Python – which you can derive from the standard installer of a Linux distribution. The idea is, you will do all further deployment of your configurations and services with the help of Ansible or similar tools once you completed the minimal setup. Use the build-iso.sh script to create an ISO file based on the netsetup image of Ubuntu. Use the build-disk.sh script to create a cloneable preinstalled disk image based on the output of build-iso.sh. […]UEFI and BIOS mode supported.[…]
The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.[…]
Description Last Modified: 10/25/2018
[…]This flaw is introduced by certain configuration options in combination with this out-of-tree patch from the Lockdown patchset[…]
Current Exploit Price (≈) $5k-$25k
by Sami Tolvanen, Staff Software Engineer, Android Security
Android’s security model is enforced by the Linux kernel, which makes it a tempting target for attackers. We have put a lot of effort into hardening the kernel in previous Android releases and in Android 9, we continued this work by focusing on compiler-based security mitigations against code reuse attacks. Google’s Pixel 3 will be the first Android device to ship with LLVM’s forward-edge Control Flow Integrity (CFI) enforcement in the kernel, and we have made CFI support available in Android kernel versions 4.9 and 4.14. This post describes how kernel CFI works and provides solutions to the most common issues developers might run into when enabling the feature.[…]
* UEFI 2.x support for PCs, and it also works on Macs with 64-bit EFI (e.g. MacBook Pro Late 2013)
* Loads and executes kernels compiled as native 64-bit UEFI applications (like the Linux kernel)
* Passes user-written commands (from a plain UTF16 text file) to loaded EFI applications
* Allows arbitrary placement of itself in addition to kernel images on the EFI system partition
* Fits on a floppy diskette, and some systems can actually boot it from a floppy
* Minimal UEFI development environment tuned for Windows, Mac, and Linux included in repository (1)
As the tweet mentions, there is a disparity for OS-level access to UEFI runtime services.
Welcome to salt, a tool to reverse and learn kernel heap memory management. It can be useful to develop an exploit, to debug your own kernel code, and, more importantly, to play with the kernel heap allocations and learn its inner workings.
This tool helps tracing allocations and the current state of the SLUB allocator in modern linux kernels.
It is written as a gdb plugin, and it allows you to trace and record memory allocations and to filter them by process name or by cache. The tool can also dump the list of active caches and print relevant information.
This repository also includes a playground loadable kernel module that can trigger allocations and deallocations at will, to serve both as a debugging tool and as a learning tool to better understand how the allocator works.
Click to access presentation.pdf
Today we’d like to announce the Qubes U2F Proxy. It is a secure proxy intended to make use of U2F two-factor authentication devices with web browsers without exposing the browser to the full USB stack, not unlike the USB keyboard and mouse proxies we’ve already implemented in Qubes.[…]
This script provides commands to sign a designated list of kernel modules and loads them via modprobe into the linux kernel. This was built to specfically address the issue of having to re-sign and reload kernel modules after upgrading the linux kernel, so they are not rejected by UEFI Secure Boot. (e.g. virtualbox kernel modules). As an example, this script is defaulted to load virtualbox kernel modules and will look for the private key and x509 cert in a specific directory. Please change these values inside the script as needed.[…]