[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #56423] module verification falls through to tpm, which approves it
From: |
Benjamin Doron |
Subject: |
[bug #56423] module verification falls through to tpm, which approves it automatically |
Date: |
Fri, 31 May 2019 02:48:35 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 |
URL:
<https://savannah.gnu.org/bugs/?56423>
Summary: module verification falls through to tpm, which
approves it automatically
Project: GNU GRUB
Submitted by: benjamind
Submitted on: Fri 31 May 2019 06:48:33 AM UTC
Category: Security
Severity: Major
Priority: 5 - Normal
Item Group: Software Error
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release:
Release: other
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Details:
Configuration: grub 2.04-rc1, built with gcc 9.1.1 and binutils 2.31.1 on
Fedora 30 and configured with "./configure --with-platform=efi
--disable-werror". After running "make", built an image with "export
GRUB_MODULES=$(cat mods); ./grub-mkimage -O x86_64-efi -o grubx64.efi -p
/EFI/fedora -d grub-core $GRUB_MODULES)" and then signed grubx64.efi with
pesign using a certificate enrolled in MOK (because secure boot is enabled,
but this bug applies regardless). Then, copied the rest of the modules into
the esp with "mkdir /boot/efi/EFI/fedora/x86_64-efi; cp grub-core/*.mod
/boot/efi/EFI/fedora/x86_64-efi/" and signed them, mostly following the steps
in
https://www.gnu.org/software/grub/manual/grub/html_node/Using-digital-signatures.html.
According to what I've read in the documentation for 2.04 (on git), inserting
a module should now first check it for a valid pgp signature (where
previously, distros disabled "insmod" entirely and grub would "insmod"
regardless, having no concept of secure boot). However, I've observed that
modules do get inserted, even without having detached signatures, so long as
the tpm module is loaded. This is true on a VM with no TPM and a laptop with
one. (With the tpm module loaded, try loading a module. It will succeed. Then
"rmmod tpm" and try loading another. It fails with the error, "verification
requested but nobody cares: <path to module>")
My bet is that the pgp module isn't verifying modules for some reason and that
it's falling through to the tpm module, which measures (in some cases,
'measures') and okays them.
I consider the following to be bugs:
1. pgp module isn't verifying modules that we attempt to insert
2. tpm module is allowed to verify modules. The tpm can only measure. What if
the module is malicious?
3. tpm module operates on a system without a tpm?
The following should also be considered (but I understand that I can't expect
it to be done if I can't do it myself): If modules are meant to be verified
against keys, a malicious user could trust another public key and then insert
their module. Perhaps (on secure boot only, maybe?) modules should only be
allowed to be inserted if signed by a particular key that's provided either
with the source code at "make" time or to "grub2-mkimage" at build time to be
included in the image.
Perhaps I'm misunderstanding where the pgp signatures should be (as .sigs with
the .mods, no?) and that's why pgp isn't verifying them, but I see no
indication why that would be the case.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 31 May 2019 06:48:33 AM UTC Name: mods Size: 468B By: benjamind
The modules included at build time. I placed it with the source code
<http://savannah.gnu.org/bugs/download.php?file_id=47006>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?56423>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [bug #56423] module verification falls through to tpm, which approves it automatically,
Benjamin Doron <=