Uncategorized

UEFI-SecureBoot-SignTool

Aneesh Neelam has written UEFI-SecureBoot-SignTool, a script to sign external Linux kernel modules for UEFI Secure Boot.


UEFI Secure Boot sign tool

The default signed Linux kernel on Ubuntu (>=16.04.x), Fedora (>=18) and perhaps on other distributions as well, won’t load unsigned external kernel modules if Secure Boot is enabled on UEFI systems. Hence, any external kernel modules like the proprietary Nvidia kernel driver, Oracle VM VirtualBox’s host/guest kernel driver etc. won’t work. External kernel modules must be signed for UEFI Secure Boot using a Machine Owner Key (MOK). You can use the UEFI Secure Boot Sign Tool to sign kernel modules. This is useful if you can’t or don’t wish to disable Secure Boot on your UEFI-enabled system.[…]

https://github.com/aneesh-neelam/UEFI-SecureBoot-SignTool

 

 

Standard
Uncategorized

Secure Boot BOF at DebConf17

Helen Koike of Collabora has proposed a BOF on UEFI Secure Boot at DebConf17, this August:

DebConf17 – BoF proposal to discuss secure boot
I want to send a BoF proposal to DebConf17 so we can meet there and discuss about secure boot. I would like to know if you are interested in attending and also which topics you suggest for discussion. I would appreciate if you could put your name and suggestions in this form in case you are interested https://goo.gl/forms/lHoEibY1H6FmSHSJ2 , or just reply to this email thread.

For full message, see the debian-efi mailing list archives.

https://lists.debian.org/debian-efi/2017/05/threads.html

https://docs.google.com/forms/d/e/1FAIpQLSdtHYNy9212iXP26tkjbb6XvgVSMjJzn2DYoAilFT1l89vemw/viewform?c=0&w=1

https://debconf17.debconf.org/

 

 

Standard
Uncategorized

Secure Boot for VMWare

Secure Boot for ESXi 6.5 – Hypervisor Assurance
Mike Foley
I’ve talked about how vSphere has been moving towards a “secure by default” stance over the past few years. This can clearly be seen in the new vSphere 6.5 Security Configuration Guide where the number of  “hardening” steps are growing smaller with every release. In this blog post we will go over another “secure by default” feature of vSphere 6.5 that provides hypervisor assurance, Secure Boot for ESXi. One of the coolest things in 6.5,  in my opinion, is the adoption of Secure Boot for ESXi. Now, you might say “But my laptop has had Secure Boot  since Windows 8, what’s the big deal?” Well, the “big deal” is that we’ve gone beyond the default behavior of Secure Boot and we now leverage the capabilities of the UEFI firmware to ensure that ESXi not only boots with a signed bootloader validated by the host firmware but that it also ensures that unsigned code won’t run on the hypervisor. Best of all, it’s simple to implement! Let’s dive in![…]

https://blogs.vmware.com/vsphere/2017/05/secure-boot-esxi-6-5-hypervisor-assurance.html

 

Standard
Uncategorized

more on Intel AMT story

Time for IBVs and OEMs to start issuing Intel AMT reports, not just from Intel. Lenovo has one:

https://support.lenovo.com/us/en/product_security/len-14963

https://downloadcenter.intel.com/download/26754/INTEL-SA-00075-Mitigation-Guide

(I hope no FUD is coming from this blog. However, I can see why people would merge two background technologies they have no control over. For example:

https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/

Standard
Uncategorized

Debian 9 defers UEFI Secure Boot support

From the latest “Bits from the Release Team” message, it appears that Debian 9 will probably defer Secure Boot support to later.

Secure Boot
At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 “stretch” would no longer be a blocker to release. The likely, although not certain outcome is that stretch will not have Secure Boot support. We appreciate that this will be a disappointment to many users and developers. However, we need to balance that with the limited time available for the volunteer teams working on this feature, and the risk of bugs being introduced through rushed development. It’s possible that Secure Boot support could be introduced at some point in stretch’s lifetime.

Full message:
https://lists.debian.org/debian-devel-announce/2017/04/msg00013.html
https://wiki.debian.org/SecureBoot
https://wiki.debian.org/UEFI

Standard
Uncategorized

Debian signed Shim

Secure Boot chain-loading bootloader (Microsoft-signed binary)

This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA. This package contains the version of the bootloader binary signed by the Microsoft UEFI CA.

https://packages.debian.org/sid/main/shim-signed

https://wiki.debian.org/SecureBoot

Standard
Uncategorized

Linux Foundation workstation security ebook

[…]Now, before you even start with your operating system installation, there are a few things you should consider to ensure your pre-boot environment is up to snuff. You will want to make sure:
* UEFI boot mode is used (not legacy BIOS) (ESSENTIAL)
* A password is required to enter UEFI configuration (ESSENTIAL)
* SecureBoot is enabled (ESSENTIAL)
* A UEFI-level password is required to boot the system (NICE-to-HAVE)

https://www.linux.com/news/linux-workstation-security/2017/3/4-security-steps-take-you-install-linux

http://go.linuxfoundation.org/workstation_security_ebook

Sounds interesting, but I don’t see any actual download link for this ebook. I guess I need some sleep.

There is also this: https://firmwaresecurity.com/2015/08/31/linux-foundation-it-security-policies-firmware-guidance/

 

Standard