![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59Short version: Secure Boot Advanced Targeting and if that's enough for you you can skip the rest you're welcome.
Long version: When UEFI Secure Boot was specified, everyone involved was, well, a touch naive. The basic security model of Secure Boot is that all the code that ends up running in a kernel-level privileged environment should be validated before execution - the firmware verifies the bootloader, the bootloader verifies the kernel, the kernel verifies any additional runtime loaded kernel code, and now we have a trusted environment to impose any other security policy we want. Obviously people might screw up, but the spec included a way to revoke any signed components that turned out not to be trustworthy: simply add the hash of the untrustworthy code to a variable, and then refuse to load anything with that hash even if it's signed with a trusted key.
Unfortunately, as it turns out, scale. Every Linux distribution that works in the Secure Boot ecosystem generates their own bootloader binaries, and each of them has a different hash. If there's a vulnerability identified in the source code for said bootloader, there's a large number of different binaries that need to be revoked. And, well, the storage available to store the variable containing all these hashes is limited. There's simply not enough space to add a new set of hashes every time it turns out that grub (a bootloader initially written for a simpler time when there was no boot security and which has several separate image parsers and also a font parser and look you know where this is going) has another mechanism for a hostile actor to cause it to execute arbitrary code, so another solution was needed.
And that solution is SBAT. The general concept behind SBAT is pretty straightforward. Every important component in the boot chain declares a security generation that's incorporated into the signed binary. When a vulnerability is identified and fixed, that generation is incremented. An update can then be pushed that defines a minimum generation - boot components will look at the next item in the chain, compare its name and generation number to the ones stored in a firmware variable, and decide whether or not to execute it based on that. Instead of having to revoke a large number of individual hashes, it becomes possible to push one update that simply says "Any version of grub with a security generation below this number is considered untrustworthy".
So why is this suddenly relevant? SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we've seen real world examples of malware wanting to do that (Black Lotus did so using a vulnerability in the Windows bootloader, but a vulnerability in grub would be just as viable for this). Viewed purely from a security perspective, this was a legitimate thing to want to do.
(An aside: the "Something has gone seriously wrong" message that's associated with people having a bad time as a result of this update? That's a message from shim, not any Microsoft code. Shim pays attention to SBAT updates in order to avoid violating the security assumptions made by other bootloaders on the system, so even though it was Microsoft that pushed the SBAT update, it's the Linux bootloader that refuses to run old versions of grub as a result. This is absolutely working as intended)
The problem we've ended up in is that several Linux distributions had not shipped versions of grub with a newer security generation, and so those versions of grub are assumed to be insecure (it's worth noting that grub is signed by individual distributions, not Microsoft, so there's no externally introduced lag here). Microsoft's stated intention was that Windows Update would only apply the SBAT update to systems that were Windows-only, and any dual-boot setups would instead be left vulnerable to attack until the installed distro updated its grub and shipped an SBAT update itself. Unfortunately, as is now obvious, that didn't work as intended and at least some dual-boot setups applied the update and that distribution's Shim refused to boot that distribution's grub.
What's the summary? Microsoft (understandably) didn't want it to be possible to attack Windows by using a vulnerable version of grub that could be tricked into executing arbitrary code and then introduce a bootkit into the Windows kernel during boot. Microsoft did this by pushing a Windows Update that updated the SBAT variable to indicate that known-vulnerable versions of grub shouldn't be allowed to boot on those systems. The distribution-provided Shim first-stage bootloader read this variable, read the SBAT section from the installed copy of grub, realised these conflicted, and refused to boot grub with the "Something has gone seriously wrong" message. This update was not supposed to apply to dual-boot systems, but did anyway. Basically:
1) Microsoft applied an update to systems where that update shouldn't have been applied
2) Some Linux distros failed to update their grub code and SBAT security generation when exploitable security vulnerabilities were identified in grub
The outcome is that some people can't boot their systems. I think there's plenty of blame here. Microsoft should have done more testing to ensure that dual-boot setups could be identified accurately. But also distributions shipping signed bootloaders should make sure that they're updating those and updating the security generation to match, because otherwise they're shipping a vector that can be used to attack other operating systems and that's kind of a violation of the social contract around all of this.
It's unfortunate that the victims here are largely end users faced with a system that suddenly refuses to boot the OS they want to boot. That should never happen. I don't think asking arbitrary end users whether they want secure boot updates is likely to result in good outcomes, and while I vaguely tend towards UEFI Secure Boot not being something that benefits most end users it's also a thing you really don't want to discover you want after the fact so I have sympathy for it being default on, so I do sympathise with Microsoft's choices here, other than the failed attempt to avoid the update on dual boot systems.
Anyway. I was extremely involved in the implementation of this for Linux back in 2012 and wrote the first prototype of Shim (which is now a massively better bootloader maintained by a wider set of people and that I haven't touched in years), so if you want to blame an individual please do feel free to blame me. This is something that shouldn't have happened, and unless you're either Microsoft or a Linux distribution it's not your fault. I'm sorry.
Long version: When UEFI Secure Boot was specified, everyone involved was, well, a touch naive. The basic security model of Secure Boot is that all the code that ends up running in a kernel-level privileged environment should be validated before execution - the firmware verifies the bootloader, the bootloader verifies the kernel, the kernel verifies any additional runtime loaded kernel code, and now we have a trusted environment to impose any other security policy we want. Obviously people might screw up, but the spec included a way to revoke any signed components that turned out not to be trustworthy: simply add the hash of the untrustworthy code to a variable, and then refuse to load anything with that hash even if it's signed with a trusted key.
Unfortunately, as it turns out, scale. Every Linux distribution that works in the Secure Boot ecosystem generates their own bootloader binaries, and each of them has a different hash. If there's a vulnerability identified in the source code for said bootloader, there's a large number of different binaries that need to be revoked. And, well, the storage available to store the variable containing all these hashes is limited. There's simply not enough space to add a new set of hashes every time it turns out that grub (a bootloader initially written for a simpler time when there was no boot security and which has several separate image parsers and also a font parser and look you know where this is going) has another mechanism for a hostile actor to cause it to execute arbitrary code, so another solution was needed.
And that solution is SBAT. The general concept behind SBAT is pretty straightforward. Every important component in the boot chain declares a security generation that's incorporated into the signed binary. When a vulnerability is identified and fixed, that generation is incremented. An update can then be pushed that defines a minimum generation - boot components will look at the next item in the chain, compare its name and generation number to the ones stored in a firmware variable, and decide whether or not to execute it based on that. Instead of having to revoke a large number of individual hashes, it becomes possible to push one update that simply says "Any version of grub with a security generation below this number is considered untrustworthy".
So why is this suddenly relevant? SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we've seen real world examples of malware wanting to do that (Black Lotus did so using a vulnerability in the Windows bootloader, but a vulnerability in grub would be just as viable for this). Viewed purely from a security perspective, this was a legitimate thing to want to do.
(An aside: the "Something has gone seriously wrong" message that's associated with people having a bad time as a result of this update? That's a message from shim, not any Microsoft code. Shim pays attention to SBAT updates in order to avoid violating the security assumptions made by other bootloaders on the system, so even though it was Microsoft that pushed the SBAT update, it's the Linux bootloader that refuses to run old versions of grub as a result. This is absolutely working as intended)
The problem we've ended up in is that several Linux distributions had not shipped versions of grub with a newer security generation, and so those versions of grub are assumed to be insecure (it's worth noting that grub is signed by individual distributions, not Microsoft, so there's no externally introduced lag here). Microsoft's stated intention was that Windows Update would only apply the SBAT update to systems that were Windows-only, and any dual-boot setups would instead be left vulnerable to attack until the installed distro updated its grub and shipped an SBAT update itself. Unfortunately, as is now obvious, that didn't work as intended and at least some dual-boot setups applied the update and that distribution's Shim refused to boot that distribution's grub.
What's the summary? Microsoft (understandably) didn't want it to be possible to attack Windows by using a vulnerable version of grub that could be tricked into executing arbitrary code and then introduce a bootkit into the Windows kernel during boot. Microsoft did this by pushing a Windows Update that updated the SBAT variable to indicate that known-vulnerable versions of grub shouldn't be allowed to boot on those systems. The distribution-provided Shim first-stage bootloader read this variable, read the SBAT section from the installed copy of grub, realised these conflicted, and refused to boot grub with the "Something has gone seriously wrong" message. This update was not supposed to apply to dual-boot systems, but did anyway. Basically:
1) Microsoft applied an update to systems where that update shouldn't have been applied
2) Some Linux distros failed to update their grub code and SBAT security generation when exploitable security vulnerabilities were identified in grub
The outcome is that some people can't boot their systems. I think there's plenty of blame here. Microsoft should have done more testing to ensure that dual-boot setups could be identified accurately. But also distributions shipping signed bootloaders should make sure that they're updating those and updating the security generation to match, because otherwise they're shipping a vector that can be used to attack other operating systems and that's kind of a violation of the social contract around all of this.
It's unfortunate that the victims here are largely end users faced with a system that suddenly refuses to boot the OS they want to boot. That should never happen. I don't think asking arbitrary end users whether they want secure boot updates is likely to result in good outcomes, and while I vaguely tend towards UEFI Secure Boot not being something that benefits most end users it's also a thing you really don't want to discover you want after the fact so I have sympathy for it being default on, so I do sympathise with Microsoft's choices here, other than the failed attempt to avoid the update on dual boot systems.
Anyway. I was extremely involved in the implementation of this for Linux back in 2012 and wrote the first prototype of Shim (which is now a massively better bootloader maintained by a wider set of people and that I haven't touched in years), so if you want to blame an individual please do feel free to blame me. This is something that shouldn't have happened, and unless you're either Microsoft or a Linux distribution it's not your fault. I'm sorry.
no subject
Date: 2024-08-22 10:05 am (UTC)no subject
Date: 2024-08-22 11:22 am (UTC)Update 1: Change SBAT policy to "warn". Then ask the user to press a key to continue if the security generation isn't matching the policy. This allows users to continue using their software and report this to the vendor and update etc.
Update 2: Change SBAT policy to "enforce".
And instead of having SBAT define a single minimal security generation it could have two levels, one for warning and one for enforcing.
no subject
Date: 2024-08-22 12:47 pm (UTC)no subject
Date: 2024-08-22 01:46 pm (UTC)I think that at the "Update 1" (warning, "press a key to continue at your own risk") level the message should mention a future date certain (the "Update 2" date), upon which the system won't boot unless it has been updated. That makes punishing them by rendering their computer unbootable, on that date, less unreasonable than doing it with no warning.
Dave
no subject
Date: 2024-08-22 01:50 pm (UTC)Dave
no subject
Date: 2024-08-22 02:40 pm (UTC)If your machine becomes part of a botnet that is used to infect or spam others because you couldn't be bothered to update, are you going to pay the millions in damages?
This is what happened with Windows XP. People had too many choices. Nobody was forced to run Windows Update or install service packs. I was inundated with customer computers for virus removal.
Like it or not, forced updates and security are to protect us from you.
no subject
Date: 2024-08-22 03:14 pm (UTC)grammar police!
Date: 2024-08-23 12:36 am (UTC)should be:
Freedom is all well AND good until your freedom effects others.
Re: grammar police!
Date: 2024-08-23 07:12 am (UTC)no subject
Date: 2024-08-22 02:41 pm (UTC)no subject
Date: 2024-08-24 05:54 am (UTC)if the user has it enabled, the OS should assume they want it to work as intended.
was there a better way to do this? absolutely, without question. but to suggest that this situation should not cause a failure to boot is not the answer here. (that was a double negative. to rephrase: this particular combination of circumstances _absolutely should_ cause a no-boot situation.)
no subject
Date: 2024-08-22 04:03 pm (UTC)no subject
Date: 2024-08-25 04:00 am (UTC)Yes: but now it's their fault, not yours. Huge difference.
no subject
Date: 2024-08-22 12:35 pm (UTC)How to trigger something like this deliberately?
Date: 2024-08-22 01:10 pm (UTC)> All shims, including future versions, should be treated as malware and should not be allowed to boot.
In other words, what to write in SBAT, how to sign?
Installer
Date: 2024-08-22 02:02 pm (UTC)Re: Installer
Date: 2024-08-22 04:09 pm (UTC)Old Linux install media no longer works with Secure Boot enabled and updated, most distros have new media though. Windows is complicated because MS has been going through a particularly long journey to fix their issues and isn't really there yet (documented in KB5025885); they're revoking their old certificate authority entirely through an opt-in process, and you can have install media that either works on most current "CA 2011" systems or you can have install media that works on updated "CA 2023" systems, but not both at once. Absolutely dreading the upcoming wave of online tech support when the opt-ins become default...
Re: Installer
Date: 2024-08-23 07:50 pm (UTC)Shims are a sham
Date: 2024-08-23 09:05 am (UTC)If you need Wince so bad use a separate machine and SMD / samba /email /ftp /usb disk files from one to another. PC hardware is cheap. My 10 year old $125 used Dell performs better than my Wife's 1 year old Win11 machine. Why cripple yourself with Dual boot?
no subject
Date: 2024-08-23 09:28 am (UTC)Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-23 12:39 pm (UTC)And if anyone thinks this improves security, then they mean that a computer without windows is insecure since it will not receive such hardware updates, which is totally ridiculous of course!
Last, what does it take to distribute such updates which declare all existing versions as untrustworthy so that all UEFI-based computers in the world are left unbootable ?
Re: Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-23 05:02 pm (UTC)Re: Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-24 12:57 pm (UTC)With:
"Microsoft did this by pushing a Windows Update that updated the SBAT variable to indicate that known-vulnerable versions of grub shouldn't be allowed to boot on those systems."
And: "Linux updates are also capable of rendering Windows unbootable"
Does that also means that malware (with kernel access) is capable of increasing the SBAT variable as well and brick the computer if UEFI secure boot cannot be deactivated, or at least force users to deactivate UEFI secure boot? Or is that request signed somehow? If so who can sign it? And ideally who do you think should do that update? The boot firmware vendor?
As I understand, another issue here is the problem of running untrusted applications combined with drivers / OS components with bad code quality.
That tend to be more the case on Windows (or Android) as users are expected to download and run applications from whatever place. And then this untrusted code can exploit bugs inside the OS that weren't fixed (for instance by combining together lower priority bugs that weren't fixed because that costs money (or because users can't update in the case of Android)).
And so in a case like that it makes sense to try to mitigate the issue by using more trusted components with a smaller attack surface to secure the rest of the computer (such as HVCI, the Management Engine, etc) and so as I understand in this context secure boot makes perfect sense.
This issue is also present on GNU/Linux in a lesser extent: if users also run untrusted applications and use OS components with known security issues (like Xorg) or bad drivers (like out of tree drivers for WiFi, GPU, etc) then the untrusted software can try to do privilege escalation and compromise the computer in the most permanent way possible.
The untrusted software could be random software downloaded from the Internet, or even software provided directly by the author that manages to escape a sanbox somehow (it could be JavaScript, appimage/docker/etc) as the only difficult part would be to find a sandbox escape vulnerability.
So the problem here is if users run GNU/Linux without untrusted applications, then we have 2 completely different security models on the same computer, and without Windows and untrusted applications in GNU/Linux, secure boot might make less sense if the user threat model doesn't need that extra protection.
Denis.
Re: Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-24 01:04 pm (UTC)For legacy boot, there's even less of a chance, as the boot partition for systemd/Linux and windows are always separate.
Updating GNU GRUB without running grub-mkconfig+os-prober may result in windows not being listed as a boot option, but unless you've cut down the grub modules to only render systemd/Linux bootable, manually chainloading the windows bootloader from the grub shell will still be possible.
Re: Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-24 06:59 pm (UTC)Re: Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-25 09:28 am (UTC)The only relevant code I can find is; include/linux/efi.h block/partitions/efi.h and drivers/firmware/efi/* which contains functions for interfacing with EFI and mounting the EFI partition, but those drivers don't seem to make changes until the EFI partition is mounted, or a command is made via the /sys/firmware/efi/efivars/ interface.
systemd of course does interface with EFI; https://systemd.io/BOOT_LOADER_INTERFACE/
According to this wiki page from Arch systemd/Linux; https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot to make changes to the dbx, you can either use "sbsigntools" or efitools (both of which depend on gnu-efi - which isn't a GNU package, but claims to be "using the GNU toolchain").
As for SBAT, I couldn't find any software or scripts for the updating of such, only instructions for using GNU objcopy to add a SBAT to software that is to be installed into the EFI partition; https://github.com/rhboot/shim/blob/main/SBAT.md?raw=true
As far as I can tell, there is an absence of scripts that will actually touch anything EFI in relation to windows (although there is a script in windows that will render old versions of GNU GRUB unbootable that usually gets automatically executed) - so to render windows unbootable via such programs would require the user to choose to input carefully crafted commands - really the user would be better off firing up gparted and deleting any partitions containing malware, same as any malware .efi files in the EFI partition - allowing them to enjoy extra storage space on the systemd OS.
Re: Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-25 03:53 pm (UTC)Re: Why is it up to Microsoft to take care of MY computer's security?
Date: 2024-08-27 09:47 pm (UTC)In terms of the inverse, I believe Microsoft writes changes to the SBAT using two registry values located here: HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT
UpdateStatus presumably controls if the variable has been changed yet and SbatLevel contains the raw data to be written.
The one which contains the payload is SbatLevel and I'm guessing that writing something like the following would make it so that shim will always refuse to boot:
sbat,94,2036060100
shim,95
grub,93
grub.debian,92
I must commend both Microsoft and the community which worked on SBAT (and which probably inspired MS to implement SVN) as both SVN and SBAT are reasonable compromises to bring the chain of trust for Windows and Linux slightly closer to what Apple has done with their more recent security enhancements. It's not perfect but it does very much raise the bar without compromising on our freedom to tinker.
Thanks for explaining this
Date: 2024-08-23 02:22 pm (UTC)Re: Thanks for explaining this
Date: 2024-08-23 10:23 pm (UTC)Ubuntu 24.04 contains a 15.8 shim. Whereas the rules revoke 15.7 and below.
no subject
Date: 2024-08-24 06:48 pm (UTC)Ah, I wonder if this is why one PC of mine suddenly started to stop booting recently.
no subject
Date: 2024-08-25 02:46 am (UTC)