arch-secure-boot icon indicating copy to clipboard operation
arch-secure-boot copied to clipboard

Published 20 hours ago verified publisher icon maximbaz

Suggestions and thank you !

Open as400l opened this issue 2 years ago • 5 comments

Hi Maximbaz,

Above all I would like to thank you for this great tool !

I have some suggestions if you would like to make this project more popular. I was thinking about why people don't use secure boot while it's available in every machine sold nowadays. And came to the conclusion that most people are just afraid when they hear "private keys", "public keys" or encryption in general :) But your tool is good enough to remove thinking about those "scary" things from people minds. So my proposals are:

  1. Improve documentation. It just does not provide enough information how this tool works. While at the same time you wrote a great post with all of the details. So please attach this information to the readme --> https://github.com/Antynea/grub-btrfs/issues/92#issuecomment-705640920

  2. Not everobody uses snapper. Personally I have very bad experience with it. So make the tool conditional - with or without snapper.

And getting to the problem that I have personally. I know you might have no idea why it is happening to me but, hey - it's worth asking. When I enter my Lenovo IdeaPad uefi I just don't see any other entries except of linux-secure-boot. And I have no way to choose anything else while at the same time all the images on /efi are created and in place:

root@i5 ~# ll /efi/EFI/arch/ total 107M -rwxr-xr-x 1 root root 1008K Jul 30 19:50 secure-boot-linux-efi-shell.efi -rwxr-xr-x 1 root root 39M Jul 30 19:50 secure-boot-linux-recovery-lts.efi -rwxr-xr-x 1 root root 44M Jul 30 19:50 secure-boot-linux-recovery.efi -rwxr-xr-x 1 root root 23M Jul 30 19:50 secure-boot-linux.efi

Big thanks for you work once again ! Any ideas ?

as400l avatar Jul 30 '21 19:07 as400l

Thanks for the kind words @as400l 🙂

  1. Definitely a good point about documentation!
  2. Makes sense. So far I tried to keep the code as small as possible, as one of my goals in switching from grub/systemd-boot/sbupdate/etc was to have just as little code as possible - less code, less bugs, less security issues 😄 But you have a good point too, too opinionated tool would slow spreading good habits to more people. In the meantime, in your particular case I suppose you can just drop zzz-arch-secure-boot-generate-snapshots.hook hook that generates snapper snapshots.

As to your issue, let me just say that it's very likely that Lenovo's UEFI implementation is buggy and there will be nothing you can do - I personally observed this on Dell laptops, and that was why for recovery I bundled a tested UEFI shell implementation.

But try to experiment, I'd start with efibootmgr tool - run $ efibootmgr -v, see that it outputs correct entries, try to swap them and confirm that Lenovo only shows one. Maybe you can also edit UEFI entries from Lenovo UEFI setup (I mean the thing before OS boots), maybe if you edit the list there, two entries will appear? And if yes, if you somehow find a fix, compare the output of efibootmgr -v before and after your fix, will there be any difference, that we could maybe incorporate in this tool?

maximbaz avatar Aug 01 '21 14:08 maximbaz

Thanks for suggestions. Unfotunately I had to add additional boot entries from cmdline to be able to choose them from UEFI setup. $ efibootmgr -d /dev/nvme0n1p1 -p 1 -c -l "\EFI\arch\secure-boot-linux-recovery.efi" -L "secure-boot-linux-recovery"

Now I wonder how are you booting into the snapshots ? What's exactly in recovery.nsh (yes I have it but started wondering if it's generated properly) and how does snapshots.txt look like (just id,date,description) ? Asking because if I try to boot them it's just not passing the proper cmdline to kernel.

EDIT:

Ok - got it. But there is an error in script. From recovery.nsh:

else if %2 == "lts" then \EFI\arch\secure-boot-linux-lts-recovery.efi

Actual files in /efi/EFI/arch:

-rwxr-xr-x 1 root root 1008K Aug 1 22:45 secure-boot-linux-efi-shell.efi -rwxr-xr-x 1 root root 39M Aug 1 22:45 secure-boot-linux-recovery-lts.efi -rwxr-xr-x 1 root root 44M Aug 1 22:45 secure-boot-linux-recovery.efi -rwxr-xr-x 1 root root 23M Aug 1 22:45 secure-boot-linux.efi

as400l avatar Aug 01 '21 20:08 as400l

Great catch, thanks!

As for the boot entries, I have just remembered why recovery entries are not automatically added by the script: because they don't have embedded cmdline.

With secure boot, you generally try to limit what a user can do during boot, and then you sign your decision with keypair, like confirming "yep, I approve of these actions".

If your cmdline is not embedded in the .efi image, you can modify it during boot, which is useful for recovery purposes (if e.g. embedded cmdline contains a typo, or if you intentionally want a different cmdline in order to boot into a btrfs snapshot). But an attacker could also place some malicious code in \EFI (which remember, is not encrypted), and then use the .efi image without cmdline to effectively load it, or even to load in a very old snapshot which might have an old kernel with known vulnerability.

So that's why the script only adds to the efibootmgr the image with embedded cmdline. At least on my laptop, in order to boot into a different .efi file, I must enter BIOS password, so in theory an attacker must know the BIOS password to do some harm.

This is definitely not a fail-proof approach btw, for example I was able to find a master-password for the BIOS of my previous laptop online.... So just keep that in mind while planning your threat model 🙂

maximbaz avatar Aug 01 '21 21:08 maximbaz

You certainly have made some good points. Unfortunately if I don't add boot entries in my Lenovo UEFI I just can't choose them from UEFI setup.

In the meantime I have come up with a simple solution for those that don't use snapper. And they are managing snapshots themselves. Here is what I've done.

  1. Removed dependency on snapper and snap-pac from PKGBUILD.
  2. Edit /etc/arch-secure-boot/config and add your snapshots dir (in my case just /snapshots):

SUBVOLUME_SNAPSHOT="${SUBVOLUME_SNAPSHOT:-snapshots/%1}"

  1. Removed pacman hook zzz-arch-secure-boot-generate-snapshots.hook.
  2. Added one section into /usr/bin/arch-secure-boot to automate generating snaphots.txt in /efi:

generate-snapshots-file) SNAP_PATH=echo $SUBVOLUME_SNAPSHOT | tr -d "%1" ls --full-time /$SNAP_PATH | awk '{print $9,$6}' > "$ESP/snapshots.txt" ;;

  1. Added two systemd units to monitor snapshots directory and create new /efi/snapshots.txt everytime new snapshot is created.

/etc/systemd/system/arch-secure-boot-snap.path:

[Unit] Description=New snapshots monitoring DefaultDependencies=no Requires=snapshots.mount After=snapshots.mount BindsTo=snapshots.mount

[Path] PathModified=/snapshots

[Install] WantedBy=snapshots.mount

/etc/systemd/system/arch-secure-boot-snap.service:

[Unit] Description=Create new snapshots.txt file when new snapshot is created

[Service] Type=oneshot Environment="PATH=/sbin:/bin:/usr/sbin:/usr/bin" ExecStart=bash -c '/usr/bin/arch-secure-boot generate-snapshots-file'

as400l avatar Aug 02 '21 09:08 as400l

Hijacking this issue to thank you as well, this is amazing work ! This is by far the best secure boot setup I've came across.

I hope it lands in community repo one day. Probably not do-one-thing-but-do-it-well enough to reach community repo because of the snapper thing, but I still find it very convenient and it definitely makes sense to me to handle that here.

ShellCode33 avatar Feb 18 '23 14:02 ShellCode33