Measured boot should pass security test #8279
Replies: 2 comments 5 replies
-
And what is the root of that chain? Is it immutable, or can that root be rewritten, which in turn makes whole chain invalid? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, my comment on the GNOME but was along the same lines, e.g. "If you're not using BootGuard how does the chain of trust extend to the ACMs? i.e. you're checking SEC+PEI and upwards" -- i.e. it's measured, but it's not really a root of trust to the CPU. |
Beta Was this translation helpful? Give feedback.
-
|
FWIW I think that what we're messaging in fwupd + gnome control center is a little bit disingenuous to the great strides that have been done here with this firmware stack. Even if the root of trust doesn't go down to the hardware with BootGuard I think we should still look at this as an onion. IE have an indication that other components have been signed as an alternative to UEFI ecosystem (secure boot). IMO this is what we do with some other security attributes; still present the information if we have it even if "lower level" security can't be asserted. |
Beta Was this translation helpful? Give feedback.
-
|
The tricky part of this is making it easy to understand; Bootguard means nothing to 99.9999% of the population. As a positive step, is there any way we can detect that coreboot+Heads is set up correctly? |
Beta Was this translation helpful? Give feedback.
-
|
I guess PCR measurements seem like the most practical way. Maybe @MatejKovacic can pull in some people who work on Dasharo here to advise if there are others I'm missing. |
Beta Was this translation helpful? Give feedback.
-
|
The other thought I would say is if we can dump the SPI, we could confirm FW_MAIN_A is signed with proper key. |
Beta Was this translation helpful? Give feedback.
-
|
I will try. However, I am not developer, just a user, so I might not properly understand all the technical details. But I am willing to help. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am using a laptop with Dasharo (coreboot+Heads) and Ubuntu 24.04, and I ran into an interesting problem.
Ubuntu has a Settings centre, where you can select
Privacy & Securitytab and it will show you information about your device security. Basically, this is justgnome-control-centerapp, which is showing data provided byfwupd.So my Ubuntu found out that I am not using Secure Boot, issues a warning that Intel BootGuard is not enabled and concluded that my hardware does not pass security checks.
Now, this is just wrong. I mean, yes, I am not using Secure Boot, but I am using measured boot, which is way better, because Dasharo (creboot+Heads) firmware (please see: https://docs.dasharo.com/) ensures the system’s firmware and boot integrity at all stages. From SPI (BIOS) firmware itself and all of the important boot files in the /boot directory, including the disk encryption setup files, the kernel, the initrd file and the GRUB configuration. This means I have an attestation of the entire boot process.
So in contrast to Secure Boot, I have a chain of trust from the beginning of the boot process till the end, and everything is signed with my keys, stored on a HSM device (Nitrokey USB key). But Ubuntu is still saying that my hardware is not secure.
I reported a bug to Ubuntu and to Gnome, but they closed it, because they are just showing the data provided by
fwupd.So my question is, can you check for measured boot technology as well (and pass the hardware security test in that case)?
Beta Was this translation helpful? Give feedback.
All reactions