Securing the Linux boot process
Matthew Garrett
http://lca2018.linux.org.au/schedule/presentation/74/
Linux has had support for UEFI Secure Boot for some time, which helps secure part of the boot process - you can be reasonably sure that nobody's replaced your bootloader or kernel, and that's sufficient to cover a bunch of cases. But for various technical reasons there's still a number of security critical components that are entirely unverified and which can be replaced by an attacker, and that means anyone with access to your system can configure it to steal (say) your hard drive encryption password. That's suboptimal.
There are various solutions to this involving TPMs, but so far they've all involved a lot of manual configuration and run the risk of being locked out of your machine for upgrading your kernel at the wrong time. Surely we can do better?
Unsurprisingly, yes. This presentation will describe some light modifications to the way distributions ship components that will make it possible to ensure that systems boot without running the risk of sensitive credentials being stolen but also without compromising the flexibility of the existing Linux boot process.
This talk was given at Linux.conf.au 2018 (LCA2018) which was held on 22-26 January 2018 in Sydney Australia.
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see https://linux.conf.au/
#linux.conf.au #linux #foss #opensource
Видео Securing the Linux boot process канала LinuxConfAu 2018 - Sydney, Australia
http://lca2018.linux.org.au/schedule/presentation/74/
Linux has had support for UEFI Secure Boot for some time, which helps secure part of the boot process - you can be reasonably sure that nobody's replaced your bootloader or kernel, and that's sufficient to cover a bunch of cases. But for various technical reasons there's still a number of security critical components that are entirely unverified and which can be replaced by an attacker, and that means anyone with access to your system can configure it to steal (say) your hard drive encryption password. That's suboptimal.
There are various solutions to this involving TPMs, but so far they've all involved a lot of manual configuration and run the risk of being locked out of your machine for upgrading your kernel at the wrong time. Surely we can do better?
Unsurprisingly, yes. This presentation will describe some light modifications to the way distributions ship components that will make it possible to ensure that systems boot without running the risk of sensitive credentials being stolen but also without compromising the flexibility of the existing Linux boot process.
This talk was given at Linux.conf.au 2018 (LCA2018) which was held on 22-26 January 2018 in Sydney Australia.
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see https://linux.conf.au/
#linux.conf.au #linux #foss #opensource
Видео Securing the Linux boot process канала LinuxConfAu 2018 - Sydney, Australia
Показать
Комментарии отсутствуют
Информация о видео
25 января 2018 г. 5:22:08
00:45:42
Другие видео канала
Understanding the Linux Boot Process - CompTIA Linux+, LPIC-1IPMI - because ACPI and UEFI weren't terrifying enoughGetting conned into writing IoTuz/ESP32 drivers and example codeSecure Boot for Small MicrocontrollersHardening Access to Your Server | Linux Security TutorialRemote Work: My first decade working from the far end of the earthMass Production: Open-source Testing in ManufacturingSecure Boot with ATECC608ASetting up the YubiKey on Ubuntu (Desktop and Server)UEFI Linux Secure Boot Kernel Signing and Verification demoConfiguring a Custom Linux Kernel (5.6.7-gentoo)UEFI Boot for Mere MortalsHow To Use Linux LUKS Full Disk Encryption For Internal / External / Boot DrivesReverse engineering vendor firmware drivers for little fun and no profit [linux.conf.au 2014]Linux Booting Process Steps - RHEL 8Linux: the first secondTrusted Platform Module (TPM): ExplainedSecure Boot from A to Z - Quentin Schulz & Mylène Josserand, Bootlin (formerly Free Electrons)Embedded Linux Booting Process (Multi-Stage Bootloaders, Kernel, Filesystem)Firmware security, why it matters and how you can have it