Matthew Garrett leaves CoreOS, joins Google

Matthew Garrett is leaving CoreOS and has gone to Google!




Linux Kernel lockdown

David Howells of Red Hat submitted a 16-part patch to the Linux-(Security,EFI,Kernel) mailing lists, with an interesting security patch for the Linux kenel. The patch includes contributions from: David Howells, Josh Boyer, Kyle McMartin, Matthew Garrett, and Dave Young. Quoting the patch announcement:

These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include:

* No unsigned modules and no modules for which can’t validate the signature.
* No use of ioperm(), iopl() and no writing to /dev/port.
* No writing to /dev/mem or /dev/kmem.
* No hibernation.
* Restrict PCI BAR access.
* Restrict MSR access.
* No kexec_load().
* Certain ACPI restrictions.
* Restrict debugfs interface to ASUS WMI.

The lock-down can be configured to be triggered by the EFI secure boot status, provided the shim isn’t insecure.  The lock-down can be lifted by typing SysRq+x on a keyboard attached to the system. They are dependent for some EFI definitions on the keys-uefi branch.

Copy secure_boot flag in boot params across kexec reboot
Add the ability to lock down access to the running kernel image
efi: Get the secure boot status
efi: Lock down the kernel if booted in secure boot mode
efi: Disable secure boot if shim is in insecure mode
efi: Add EFI_SECURE_BOOT bit
hibernate: Disable when the kernel is locked down
acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
Add a sysrq option to exit secure boot mode
kexec: Disable at runtime if the kernel is locked down
PCI: Lock down BAR access when the kernel is locked down
x86: Lock down IO port access when the kernel is locked down
ACPI: Limit access to custom_method when the kernel is locked down
asus-wmi: Restrict debugfs interface when the kernel is locked down
Restrict /dev/mem and /dev/kmem when the kernel is locked down
x86: Restrict MSR access when the kernel is locked down

More information:


Matthew and James on IoT security

Matthew Garret and James Bottomley have two blog posts out on IoT security.

I have nearly given up on IoT security, there is so much new IoT vulnerabilities in the news each day. 😦


Home Automation: Coping with Insecurity in the IoT


Matthew Garrett on Linux boot security

Amber Ankerholz wrote an article for Linux.com on the Linux boot-time security presentation that Matthew Garrett recently gave at the Linux Security Summit. In addition to the article, the video of the presentation is also available.




Purism announces advisory board

Purism announces advisory board, and one of the members is Linux firmware security expert Matthew Garrett, which is good news:





Help fund Matthew’s Patreon IoT reviews

I just learned about patreon.com. Matthew Garrret is listed on Patreon, hoping for donations to help review IoT devices. Please help fund Matthew, if you have the ability. Thanks!


Why Matthew is on Patreon
There’s a growing number of Internet of Things devices on the market, from smart lightbulbs through smart coffee makers to smart air fresheners. You plug them all into your network and you communicate with them via your phone. At first glance they may seem like unnecessary toys, but there are many real ways they can improve lives. Smart switches can be an important assistive technology. Internet connected cameras can help people’s sense of security. Heart monitors can aid the design of an appropriate fitness regime. But how secure are they? When you plug in that smart switch, are you actually allowing attackers to gain access to your home network? Is your baby monitor happily streaming the interior of your house to anyone who asks it to? Are your lightbulbs secretly intercepting your website login details? Are your health details accessible to the entire internet? I’m a full time security developer with an extensive experience of embedded hardware and reverse engineering, and I’ve been using that to review devices. The results so far have not been positive – most devices I’ve investigated have been horribly insecure, and in one case my review caused the seller to pull the product. I’d love to carry on making reviews and helping customers make informed choices about whether they’re taking a risk by plugging in one of these smart devices, but these aren’t cheap. This is where you come in. Making a small donation means that I can keep buying devices and reviewing them. You won’t get anything special in return other than a link to the review – security information shouldn’t be restricted to people who pay for it. But it will make it easier for people to know whether there are obvious and terrible security issues with a product, and that’s good for everyone.